Channels
bot-training
community
contributing
general
github-activity
info
introductions
new-releases
random
security
support-questions
welcome-0xdelusion
welcome-aj-ya
welcome-aleksandrc
welcome-alpinjs
welcome-amberlamps1
welcome-andrew-rodriguez
welcome-ankit-choudhary
welcome-anthony-stod-custodio
welcome-call-in
welcome-chwalbox
welcome-claybiokiller
welcome-co7e
welcome-cosmoecwsa
welcome-devdag
welcome-dinso
welcome-drebotelho
welcome-elio
welcome-ernest
welcome-foxbarrington
welcome-fromscratch
welcome-galto4ir
welcome-goetzum
welcome-hay-kot
welcome-himanshu-kukreja
welcome-hossambarakat
welcome-ichikawakazuto
welcome-jahir9991
welcome-jamesl
welcome-jerry123424
welcome-john-oliver
welcome-jonas-alexanderson
welcome-jxyz
welcome-kelvinwop
welcome-kraz
welcome-lancekey
welcome-leoo
welcome-lukeacollins
welcome-m-j-mon
welcome-malik-khoja
welcome-marco
welcome-mardadi
welcome-meshguy
welcome-metamorph
welcome-mike-tectu
welcome-mirzok
welcome-mozomig
welcome-naberyou66_
welcome-nacer
welcome-namratha
welcome-naveenkumar
welcome-nightlight
welcome-nischith
welcome-notankit
welcome-olawumi
welcome-pavan-kumar-reddy-n
welcome-pineappaul
welcome-poothebear
welcome-rick
welcome-samuel-qosenergy
welcome-samuelstroschein
welcome-shubhamgoel23
welcome-shubhamkaushal
welcome-sidebar
welcome-surajsli
welcome-suyash_
welcome-syntaxerror
welcome-tauno
welcome-tawnoz
welcome-teclali
welcome-tls
welcome-turbosepp
welcome-vikram_shadow
Title
c
ctrick
10/26/2022, 10:14 PMHello, im not sure if im doing something wrong of of its maybe a bug.
Im using Nextjs. If i call my api that revoke All Session for the current user (await Session.revokeAllSessionsForUser(userId);)
I can still use the frontend and make other api calls.
Frontend is protected with SessionAuth and api with superTokensNextWrapper/verifySession.
ACCESS_TOKEN_BLACKLISTING is enabled.
Why i can still use the frontend after revoking all sessions.
I want to logout all devices of the user
r
rp
10/27/2022, 5:03 AMhey @ctrick
how have you enabled ACCESS_TOKEN_BLACKLISTING?
c
ctrick
10/27/2022, 6:52 AMHey @rp
I added ACCESS_TOKEN_BLACKLISTING to the env in my docker compose file
supertokens:
image: registry.supertokens.io/supertokens/supertokens-postgresql
depends_on:
- db
ports:
- 3567:3567
environment:
POSTGRESQL_CONNECTION_URI: "postgresql://supertokens_user:somePassword@db:5432/supertokens"
ACCESS_TOKEN_BLACKLISTING: "true"
i checked the config.yaml inside the docker container.
ACCESS_TOKEN_BLACKLISTING is set to true
r
rp
10/27/2022, 7:21 AMhmm. Can you call the handshake API (https://app.swaggerhub.com/apis/supertokens/CDI/2.16.2#/Session%20Recipe/sessionHandshake) on the core instance and show me the result from it?
c
ctrick
10/27/2022, 7:34 AM{"data":{"status":"OK","jwtSigningPublicKey":"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAr00Y6Hvltt4vdpwuvpwZjzD4S4/xffXWQaKDZn0vbvo6ZNEcwbA1clsW2FHAP+rVSfMkJWQwLTawdU012cDunGFy276b60fCl9Qa2dl0wXNb5TB/sxYuJZEOkr8lZy79seXoIyjssIHAMZYXvNW7wOSPcCTK9ovPsMbT8V/PSbkAwiVC+5gwahnwaKxY3Fq0zmWCc7qB3xu/V2PXdWWjNp3sb8lzx0vVsA94wWVPflK7wSMBl8E7oZ5i+I/vNS6f0lb69m9kQNae44tbZ6Qy4xfGrEHSAU5sayvjkAI/RzwoMDXu6Y1cryFuCAZKqVAceVexLwU4YX+Db6IzjKWqPQIDAQAB","jwtSigningPublicKeyExpiryTime":1667424951986,"jwtSigningPublicKeyList":[{"publicKey":"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAr00Y6Hvltt4vdpwuvpwZjzD4S4/xffXWQaKDZn0vbvo6ZNEcwbA1clsW2FHAP+rVSfMkJWQwLTawdU012cDunGFy276b60fCl9Qa2dl0wXNb5TB/sxYuJZEOkr8lZy79seXoIyjssIHAMZYXvNW7wOSPcCTK9ovPsMbT8V/PSbkAwiVC+5gwahnwaKxY3Fq0zmWCc7qB3xu/V2PXdWWjNp3sb8lzx0vVsA94wWVPflK7wSMBl8E7oZ5i+I/vNS6f0lb69m9kQNae44tbZ6Qy4xfGrEHSAU5sayvjkAI/RzwoMDXu6Y1cryFuCAZKqVAceVexLwU4YX+Db6IzjKWqPQIDAQAB","expiryTime":1667432151986,"createdAt":1666820151986}],"accessTokenBlacklistingEnabled":true,"accessTokenValidity":3600000,"refreshTokenValidity":8640000000}}r
rp
10/27/2022, 7:40 AMhmm. So the
accessTokenBlacklistingEnabledtruewhen you call revoke session for user, do the sessions get cleared in the db?
c
ctrick
10/27/2022, 7:40 AMi never checked in the db of supertokens
r
rp
10/27/2022, 7:41 AMmaybe you should.
and make sure that the userId you are passing to that function is correct.
c
ctrick
10/27/2022, 7:42 AMWhat i can tell. I get an empty array from Session.getAllSessionHandlesForUser(userId); after using Session.revokeAllSessionsForUser(userId);
r
rp
10/27/2022, 7:42 AMhmm. And before calling
revokeAllSessionsForUsergetAllSessionHandlesForUserc
ctrick
10/27/2022, 7:44 AMI try to explain it a bit more detailed.
I sign in twice with the same user in my browser.
1 signin in NOT private mode and 1 signin in private mode of chrome
The with 1 user i call my /api/revoke-all-sessions
This api endpoint do a await Session.revokeAllSessionsForUser(userId);
yes
r
rp
10/27/2022, 7:45 AMI see.
Can you open an issue about this on our github? We will have a look at it asap
oh and one thing to make sure if that you have to restart the next app after making the config change - did you do that?
c
ctrick
10/27/2022, 7:48 AMyes i cancelled my app. And restert it with yarn dev
r
rp
10/27/2022, 7:48 AMhmm ok
If you could just please open a github issue about this, it would be great
c
ctrick
10/27/2022, 7:49 AMthats my api. On first request i get my session handles. And on second they are empty
but i still have a session
Yes! 🙂 i just wnated to be sure. Before openeing an github issue. I don't want to get insulted 😄
r
rp
10/27/2022, 7:50 AMoh don't worry about it. Worst case, if it's not a bug, the issue will just be closed 🙂
c
ctrick
10/27/2022, 7:50 AMMaybe i should test with the hosted core system?
Possibly a docker bug?
on which repo should i open the issue?
r
rp
10/27/2022, 7:55 AMit's not a docker bug for sure
you can open an issue in the supertokens-node repo
c
ctrick
10/27/2022, 7:58 AMi tested with the hosted version. Now it works 😄
r
rp
10/27/2022, 7:59 AMhmm. Thats very strange
cause the hosted version uses the same docker image as the self hosted one