0

I want to guarantee that the users of the app only have access to it on one device at a time. Therefore, I thought of ending all the existing user sessions when logging in and therefore revoking the existing access and refresh tokens.

I aim on that the devices/sessions who might be active in in the mean time are also logged out and need to sign in again.

How can I detect all the access tokens and revoke them on the server-side?

Or is there any better way to achieving this solution?

Thank´s!

ktm125
  • 442
  • 5
  • 21
  • Look at this: https://stackoverflow.com/questions/38345085/firebase-authentication-state-change-does-not-fire-when-user-is-disabled-or-dele – shadowsheep Mar 01 '18 at 17:10
  • thanks for the answer! So the only solution seems to be a workaround, or has anything been changed (e.g. listener to token being revoked, authstate listener firing in that case etc.) since post was discussed? – ktm125 Mar 01 '18 at 17:58
  • Dunno, but I guess @doug-stevenson is the man ;) – shadowsheep Mar 01 '18 at 18:47
  • Look also at this. if could be of any help. Personally I still have this setup (the previous one and this) : https://stackoverflow.com/questions/48862359/user-authentication-persisted-after-having-cancelled-the-user-from-console-fireb – shadowsheep Mar 01 '18 at 18:49

0 Answers0