Blacklist access tokens
Overview
By default, session verification is stateless. This means that SuperTokens does not check that the session actually exists in the database, and only verifies the session by checking its signature. Whilst this makes session verifications fast, it also means that if you revoke a session, the user can still use it until the access token expires.
If you want session verifications to fail immediately after revoking the session, you should force the session to check against the database. Since you can use this feature on a per API basis, we recommend that you only use it for non-GET APIs since only those are state changing.
Before you start
For managed service users, please check the rate limit policy before implementing this feature. If you suspect that you might breach the free limit you can:
- Email support to increase your rate limit.
- Use the
checkDatabaseflag only on certain important APIs. For example, omit using it in anyGETAPI as those are not state changing. - Implement your own method for keeping track of revoked access tokens by using a cache like Redis.
Using Verify Session
import express from "express";
import { verifySession } from "supertokens-node/recipe/session/framework/express";
import { SessionRequest } from "supertokens-node/framework/express";
let app = express();
app.post("/like-comment", verifySession({ checkDatabase: true }), (req: SessionRequest, res) => {
let userId = req.session!.getUserId();
//....
});
Using Get Session
import express from "express";
import Session from "supertokens-node/recipe/session";
let app = express();
app.post("/like-comment", async (req, res, next) => {
try {
let session = await Session.getSession(req, res, { checkDatabase: true })
if (session !== undefined) {
let userId = session.getUserId();
} else {
// user is not logged in...
}
//....
} catch (err) {
next(err);
}
});