Channels
bot-training
community
contributing
general
github-activity
info
introductions
new-releases
random
security
support-questions
welcome-0xdelusion
welcome-aj-ya
welcome-aleksandrc
welcome-alpinjs
welcome-amberlamps1
welcome-andrew-rodriguez
welcome-ankit-choudhary
welcome-anthony-stod-custodio
welcome-call-in
welcome-chwalbox
welcome-claybiokiller
welcome-co7e
welcome-cosmoecwsa
welcome-devdag
welcome-dinso
welcome-drebotelho
welcome-elio
welcome-ernest
welcome-foxbarrington
welcome-fromscratch
welcome-galto4ir
welcome-goetzum
welcome-hay-kot
welcome-himanshu-kukreja
welcome-hossambarakat
welcome-ichikawakazuto
welcome-jahir9991
welcome-jamesl
welcome-jerry123424
welcome-john-oliver
welcome-jonas-alexanderson
welcome-jxyz
welcome-kelvinwop
welcome-kraz
welcome-lancekey
welcome-leoo
welcome-lukeacollins
welcome-m-j-mon
welcome-malik-khoja
welcome-marco
welcome-mardadi
welcome-meshguy
welcome-metamorph
welcome-mike-tectu
welcome-mirzok
welcome-mozomig
welcome-naberyou66_
welcome-nacer
welcome-namratha
welcome-naveenkumar
welcome-nightlight
welcome-nischith
welcome-notankit
welcome-olawumi
welcome-pavan-kumar-reddy-n
welcome-pineappaul
welcome-poothebear
welcome-rick
welcome-samuel-qosenergy
welcome-samuelstroschein
welcome-shubhamgoel23
welcome-shubhamkaushal
welcome-sidebar
welcome-surajsli
welcome-suyash_
welcome-syntaxerror
welcome-tauno
welcome-tawnoz
welcome-teclali
welcome-tls
welcome-turbosepp
welcome-vikram_shadow
Block users
g
Grall
04/04/2023, 5:49 PMHeya, is it possible to forcefully sign out a user and prevent further sessions? Sorta like blocking?
r
rp
04/04/2023, 5:57 PMYou can block users:
- Override the sign in API for your recipe to check if the user has been blocked, and if they have been blocked, then throw an error instead of calling the original implementation.
- Override the session refresh API to first call the original implementation to get the session object, and then see if the user is blocked, and if they are call the session.revokeSession function before returning the response.
This would cause the blocked user to sign in and if they are logged in, their session refresh will eventually fail.
st-bot-test-case
g
Grall
04/05/2023, 9:03 AMHi, thanks a lot for your detailed explanation just one question, is it possible to have cookie session to log them out immediately?
r
rp
04/05/2023, 9:08 AMYou could augment the session verification middleware we have (by making your own middleware) to check if the session handle exists in the core post session verification (by calling the getSessionInformation function (https://supertokens.com/docs/nodejs/modules/recipe_session.html#getSessionInformation-1), and if it returns undefined, send back a 401.
That being said, this will slow down session verification since it will require a round trip to the core. You could add some heuristic for when you want to do this additional check - for example, doing this only in non GET APIs.
g
Grall
04/08/2023, 6:15 PMfor example deleting an account
r
rp
04/09/2023, 5:23 AMYes, it is possible to request an OTP once the user is logged in to confirm dangerous actions. You can add a timestamp to the access token payload indicating the last time the user was authenticated. On a route or API which requires a dangerous action, you can fetch the access token payload and check the value of the timestamp. If this value is before a certain time (say before 5 mins ago), then you can redirect the user to a screen asking them to re-login or do some login challenge, such as entering an OTP. Once the login challenge is finished, you can update the timestamp in the access token payload.
To actually send the OTP, you need to create an API which will first verify the session, and then use the passwordless recipe to generate a code and send the code via SMS / email (we have functions for these in our backend SDKs)
And then when the user types in an OTP, send it to another API of yours which once again verifies the session, and calls the
consumeCode