Imagine an account that is logged in on 3 different devices, and each device has its own refresh token.
If the account owner changes their password, or links a new authentication method (for example, Custom Auth), what happens to the existing refresh tokens on those devices? Will the other sessions continue to work, or should they be invalidated?
In the future, I also want to add session management so users can see all active sessions for their account. What is the best way to track active sessions, allow users to revoke specific sessions, and invalidate all sessions when needed?
Hi @Mohsen,
Changing passwords/linking/unlinking should not invalidate any existing sessions, unless sessionLogout is explicitly called in custom after-hooks for linking/unlinking etc.
Nakama sessions are just JWT tokens; the server does not track issued sessions, it only keeps a blacklist of non-expired invalidated tokens. Thus, there’s no API to list issued tokens. Sessions are blacklisted only if the user explicitly calls the sessionLogout API, if he’s banned or if his account is deleted.
You could maybe add a management layer on top of this with after-hooks on authentication, storing some metadata around any new sessions, (client_id, expiry, etc.) in a storage object, and adding a custom RPC to list and then call sessionLogout on any specific session the user wishes to invalidate. Be mindful that if no token/refresh token is passed as args to sessionLogout, all currently issued tokens will be considered invalid.
Best.