Comments (8)
I don't think it's possible for us to force expire an access token? I think we just have to wait for it to expire 🤷♂️
from auth.
@awalias what to do in situations when user already got token and after that admin blocked him? do we need handle this case or it's OK and lets wait while his token expire?
from auth.
@awalias maybe better make route like /admin/users/{user_id}/disable and /admin/users/{user_id}/enable and switch method from POST to PATCH? In my opinion, it seems to be more better choice. What do you think?
Sorry for such questions but it's better to ask them before task implementing rather then after finishing it
from auth.
I wonder whether we should extend the existing POST /user endpoint with enable/disable functionality:
and make a new route for UserUpdate
that is only accessible by Admin Users
what do you think? It will enable admins to change other data about a user (and can add more in the future)
from auth.
but I also like your solution 🤔
from auth.
Your approach is more scalable in future than mine. OK, I'll implement admin's analog of UserUpdate method=)
from auth.
I don't think it's possible for us to force expire an access token? I think we just have to wait for it to expire 🤷♂️
This is not necessarily true, and largely depends on how you verify the validity of tokens. Aside from checking the signature, and indeed even before checking the signature, you might want to check the sub
(or other relevant claim) against a blacklist to see if the token should be disallowed.
The tricky bit is of course how you make sure your blacklist is accurate and up to date. It may not be palatable to look it up in the DB on every request, but on the other hand if you don't look it up on every request, there's a good chance you'll have a race condition where a request comes in and makes it all the way before the blacklist is propagated to wherever tokens are checked. To be fair though, depending on where in the flow you're checking the validity of a token you may well end up with a race condition anyway.
The way I've done this in the past is to have a mechanism for blacklisting tokens based on one or a combination of claims, e.g. for individual users it may be the sub
claim, for groups of users it may be something else, a custom claim like grp
or even individual role permissions like role
. Maybe it's a combination of things, maybe a user should have general access, but lost admin privileges so any token with sub=1234
and role='admin'
should be rejected. This blacklist lives at the API gateway, and that's the source of truth. Anything that gets passed the gateway is assumed to be valid (though signatures may still be checked, just not blacklist rules,) and anything behind the gateway only accepts requests coming from the gateway. Any request coming from another source is dropped without further consideration.
It's a decent compromise which allows for blocking tokens even if their expiration time is quite far in to the future. Blacklist rules generally don't expire, so care has to be taken to make it performant, and that of course largely depends on how complicated the rules can get. If all you're doing is field comparison it's a pretty fast lookup, but if you start doing fancy stuff like regex checks or multiple field comparisons you have to be real careful to make sure the expensive checks happen as late as possible, and the cheap checks act as circuit breakers first.
from auth.
🎉 This issue has been resolved in version 2.4.0 🎉
The release is available on GitHub release
Your semantic-release bot 📦🚀
from auth.
Related Issues (20)
- Account linking queries do a sequential scan on the users/identities table by default in managed Supabase HOT 3
- Users table index on recovery_token is not being used in queries HOT 1
- Apple Sign On: [AuthApiError: Bad ID token]
- Apple Sign On: [AuthApiError: Bad ID token] HOT 48
- Supabase auth for case sensitive emails HOT 3
- Auth hooks updates signed access_token, but not REST response. HOT 10
- `token_revoked` with large-ish `raw_app_meta_data` HOT 7
- Github Access Token Invalid HOT 1
- RedirectTo Recovery Path Stripped When Using Localhost HOT 2
- Only the information requested by the scope is not imported. and not response phone_number data HOT 9
- Index for refresh_tokens on deletion by user_id not used properly HOT 2
- Using PKCE flow forces you to use your provider client secret when refreshing the provider token HOT 1
- Typing error writing "toekn"
- Fix broken link to inexistant netlify github repo HOT 1
- Enabling Post-Signup Email Verification without Blocking User Sign-In on Supabase HOT 3
- Invalid HELO message for smtp relays - w/Solution Proposal HOT 1
- Signout fails after user account has been deleted
- Facebook Social Auth signInWithIdToken needs custom parser
- AuthApiError: Error invoking access token hook. HOT 7
- Anonymous user identity not linking HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from auth.