Force logout user / invalidate JWT token
Hello, is it possible to force logout user / invalidate JWT Token on the backend side to make player need to login again?
21 Replies
Thanks for posting in <#1088161997662724167>.
Reminder: If you have a Convex Pro account, use the Convex Dashboard to file support tickets.
- Provide context: What are you trying to achieve, what is the end-user interaction, what are you seeing? (full error message, command output, etc.)
- Use search.convex.dev to search Docs, Stack, and Discord all at once.
- Additionally, you can post your questions in the Convex Community's <#1228095053885476985> channel to receive a response from AI.
- Avoid tagging staff unless specifically instructed.
Thank you!
Assuming you're using Convex Auth, there isn't a direct function but there's some info that should help you find a path forward here: https://labs.convex.dev/auth/advanced#session-validity
Advanced: Details - Convex Auth
Authentication library for your Convex backend
well this doc has not enough info for me. i dont see how to logout user there.
also "you need to make sure your client can handle the state where the JWT is valid but the session is not." how should the client detect if session is not valid
sound like we should add this to the docs once we figure out a recommendation cc @dowski
@Starlord that docs says
an existing session is invalidated (deleted), the user is not automically signed out until the JWT expiresand I see the bit you mention
If you want session validity to be reflected immediately, you need to actually load the current session in your queries/mutations/actions, and you need to make sure your client can handle the state where the JWT is valid but the session is not.so you need to delete the session, and check for the session in Convex functions that you want to be quickly logged out-able
still dont understand it. how will client understand that session expired?
and how can i force log out
Note: I'm trying to help you figure out how to do something I haven't done myself
Based on docs you should be able to validate a user's session by passing their id to this method: https://labs.convex.dev/auth/api_reference/server#invalidatesessions
server - Convex Auth
Authentication library for your Convex backend
Then, a Convex function is going to have to be your vehicle for communicating to the client that the session has expired. There is no convention for this currently, it would be some value that you send back from a query/mutation/action called by the client (or a specific error), and then in the client, when you encounter that value, call
signOut(). At least that's how I'd try approaching it.
Again, I haven't tried this myself, and there is no blessed approach for this currently. But this should be enough for you take and run with.
Hmm actually I'd expect getAuthUserId() to return null once you call invalidSessions() with a userId. If that's correct, I'd either have a helper that I use everywhere or use custom functions to return a consistent ConvexError (or some sort of value if you don't want to throw an error) and then use custom useQuery/useMutation/useAction for any Convex client calls, and have all of them run signOut() when they encounter that error or value.
Hope that makes sense (and that I'm not missing something conceptually).
Custom functions: https://github.com/get-convex/convex-helpers/blob/16014342c4baa666483359139b9e40f67bfcbe70/packages/convex-helpers/README.md#custom-functions
Having trouble finding supporting article/doc for custom useQuery, could have sworn that was a pattern that's written down somewheregetAuthUserId is kind of a thin wrapper around getting the user from the context
i think that's a connection/websocket scoped bit of data
i'm not sure that it's reactive to changes in the database
i think overall you could change your code that wants to ensure a user us logged in from just looking at getAuthUserId to also ensuring that they have a valid entry in authSessionsgetAuthUserId isn't reactive?
i'm not sure, actually
oh you said not sure, got it. I've been banking on it being reactive personally 😅
it probably is and i'm just wrong 🙃
lol I will belay my panic
What does force log out mean here, you want the website to visually change? Then yeah use a query that returns something about logged in state, e.g. the current user, and return null if the session doesn't exist, and your webapp can notice the change in that value
here's a diff showing how you might do something like trigger a logout when the backend session is deleted:
https://gist.github.com/dowski/95836458ef482ec0b8cd74bf701c67a1
i was playing around in a copy of the https://github.com/get-convex/convex-auth-example repo which is what the diff is based on
GitHub
GitHub - get-convex/convex-auth-example: Convex Auth example repo
Convex Auth example repo. Contribute to get-convex/convex-auth-example development by creating an account on GitHub.
That's awesome
Note: the example would log the user out if any error occurs, but you should be able to just check for the specific error string
yep good point
thank you
just strange getAuthUserId doesnt check it automatically already
@Starlord as you have thoughts on this stuff you might file issues on https://github.com/get-convex/convex-auth; no guarantee they're fixed anytime soon but it's easier to collect feedback there because other people might find this from a search
also that's where we'll change the docs