Session invalidation
Overview
You can invalidate a session in SuperTokens in different ways.
The main recommendation is to use the signOut function from the frontend SDK.
Besides that you can also revoke sessions manually, through the backend SDKs.
This guide shows you how to implement each of these.
Before you start
This guide only applies to scenarios which involve SuperTokens Session Access Tokens.
User sign out
The frontend SDK exposes a signOut function that revokes the session for the user.
You need to add your own UI element for this since the library does not expose any components.
The signOut function calls the sign out API exposed by the session recipe on the backend and, in turn, revokes all the user active sessions.
If you call the signOut function whilst the access token has expired, but the refresh token still exists, the SDKs automatically perform a session refresh before revoking the session.
You have to add your own redirection logic after the sign out call completes.
What type of UI are you using?
import React from "react";
import { signOut } from "supertokens-auth-react/recipe/session";
function NavBar() {
async function onLogout() {
await signOut();
window.location.href = "/auth"; // or redirect to wherever the login page is
}
return (
<ul>
<li>Home</li>
<li onClick={onLogout}>Logout</li>
</ul>
)
}
Expose a backend sign out method
If you do not want to use the frontend function you can expose a backend sign out method.
import express from "express";
import { verifySession } from "supertokens-node/recipe/session/framework/express";
import { SessionRequest } from "supertokens-node/framework/express";
let app = express();
app.post("/someapi", verifySession(), async (req: SessionRequest, res) => {
// This will delete the session from the db and from the frontend (cookies)
await req.session!.revokeSession();
res.send("Success! User session revoked");
});
If you are using the pre-built UI, and the <SessionAuth> component set custom post log out logic with the onSessionExpired prop.
The handler gets called if:
- The backend has revoked the session, but not the frontend.
- The user has been inactive for too long and their refresh token has expired.
import React from "react";
import { SessionAuth } from "supertokens-auth-react/recipe/session";
import MyComponent from "./myComponent";
const App = () => {
return (
<SessionAuth
onSessionExpired={() => {/* ... */ }}>
<MyComponent />
</SessionAuth>
);
}
Direct session invalidation
To invalidate a session without relying on the intervention of a user you can create your own custom methods using the backend SDKs.
This method of revoking a session only deletes the session from the database and not from the frontend. This implies that the user can still access protected endpoints while their access token is alive. If you want to instantly logout the user in this mode, you should enable access token blacklisting.
Revoke a specific session
import Session from "supertokens-node/recipe/session";
async function revokeSession(sessionHandle: string) {
let revoked = await Session.revokeSession(sessionHandle);
};
You can fetch all the sessionHandles for a user using the getAllSessionHandlesForUser function
Revoke all sessions for a user
import express from "express";
import Session from "supertokens-node/recipe/session";
let app = express();
app.use("/revoke-all-user-sessions", async (req, res) => {
let userId = req.body.userId
await Session.revokeAllSessionsForUser(userId);
res.send("Success! All user sessions have been revoked");
});
By default, revokeAllSessionsForUser deletes all the sessions for the user across all the tenants. If you want to delete the sessions for a user in a specific tenant, you can pass the tenant ID as a parameter to the function call.