Heya, is it possible to forcefully sign out a user and prevent further sessions? Sorta like blocking?

You can block users: - Override the sign in API for your recipe to check if the user has been blocked, and if they have been blocked, then throw an error instead of calling the original implementation. - Override the session refresh API to first call the original implementation to get the session object, and then see if the user is blocked, and if they are call the session.revokeSession function before returning the response. This would cause the blocked user to sign in and if they are logged in, their session refresh will eventually fail.

Hi, thanks a lot for your detailed explanation just one question, is it possible to have cookie session to log them out immediately?

You could augment the session verification middleware we have (by making your own middleware) to check if the session handle exists in the core post session verification (by calling the getSessionInformation function (https://supertokens.com/docs/nodejs/modules/recipe_session.html#getSessionInformation-1), and if it returns undefined, send back a 401. That being said, this will slow down session verification since it will require a round trip to the core. You could add some heuristic for when you want to do this additional check - for example, doing this only in non GET APIs.

for example deleting an account

Yes, it is possible to request an OTP once the user is logged in to confirm dangerous actions. You can add a timestamp to the access token payload indicating the last time the user was authenticated. On a route or API which requires a dangerous action, you can fetch the access token payload and check the value of the timestamp. If this value is before a certain time (say before 5 mins ago), then you can redirect the user to a screen asking them to re-login or do some login challenge, such as entering an OTP. Once the login challenge is finished, you can update the timestamp in the access token payload. To actually send the OTP, you need to create an API which will first verify the session, and then use the passwordless recipe to generate a code and send the code via SMS / email (we have functions for these in our backend SDKs) And then when the user types in an OTP, send it to another API of yours which once again verifies the session, and calls the

consumeCode

function in the passwordless recipe to check if the code is OK or not. If the code is OK, then you can update the session to indicate that that last reauth time is now, and proceed to doing the sensitive operation.