Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Add way to invalidate other sessions when the user changes their password.

See original GitHub issue

Is your feature request related to a problem? Please describe. We’re implementing a custom forgot password flow on our web app and, while changing the password works fine, I would’ve expected other sessions to be invalidated. We have a mobile app that goes along with the web app and the mobile app stays logged in.

Describe the solution you’d like I would like a way to be able to invalidate other sessions after the user changes their password via the forgot password Auth flow. We call Auth.forgotPassword to send the user the verification code, and Auth.forgotPasswordSubmit with their username, verification code, and new password already. An additional optional parameter on forgotPasswordSubmit would be nice to indicate we want to invalidate other sessions.

Describe alternatives you’ve considered I considered using Auth.signOut({ global: true }), but that requires the user being signed into the app in the first place; the forgot password flow only applies when the user is already signed out on the local session in our app.

Issue Analytics

  • State:open
  • Created 3 years ago
  • Reactions:7
  • Comments:8 (2 by maintainers)

github_iconTop GitHub Comments

2reactions
jerocosiocommented, Aug 4, 2022

Hey @elorzafe, thanks for the quick reply. I actually use the global signout flag on my app, but I believe that even this would allow the attacker to have access at least until the refresh token expires, right? And the minimum time for the refresh tokens is 60 minutes, so the attacker could still have access for the account on this time.

1reaction
jerocosiocommented, Aug 9, 2022

Hello @elorzafe, I’m currently sending an e-mail to my users whenever there’s a password reset, I’m doing this with a Cognito trigger and a Lambda function. Is there someway that I could invalidate the tokens on this function?

Read more comments on GitHub >

github_iconTop Results From Across the Web

Invalidating active sessions after a password change?
I've recently discovered this issue with my django based application. When a users changes its password, its active sessions are not destroyed.
Read more >
Is there a way to invalidate a specific user session when there ...
I have the following scenario: 1) A user logs in using browser 1 and starts browsing the website. 2) The same user sends...
Read more >
Changing password should invalidate all other sessions
Add to the session API a method that allows invalidating all sessions based on username or uid. Beta phase evaluation. Reference: https://www.
Read more >
SPA invalidate all sessions on password change
We have a ReactJS SPA in which we have given user the functionality to change password. For this, we use Management API via...
Read more >
Invalidate/revoke all user sessions upon password change
Enhance security by invalidating all active sessions upon password change. This helps in the event that a user suspects their password may ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

DataStore cannot delete `hasOne` relationships

Next page

User authentication not persisted in browser: not authenticated