Revoke current Api Token on Logout


#1

How can I revoke the current used Api Token while logging out? Is there any function with which I can get the current used Api Token or do I have to do something like this:

yield request.auth.revoke(request.authUser, [request.header('Authorization').replace('Bearer ', '')])


#2

Hey @gencblakqori! :wave:

If I correctly understand you are using the version 3.2 of AdonisJs.
The authorization header is sent from the client, so you don’t need to clean it from your server.

Concerning the revocation of the token, you have everything you need here http://adonisjs.com/docs/3.2/authentication#_revoke_user_tokens_array.


#3

Could I revoke a jwt token for specific user (es. logout) in adonis 4.
Thanks, PDP


#4

JWT’s are stateless which means they are not stored in any database and therefore cannot be revoked. Typically they have a short lifetime and have to be renewed using a refresh token.


Revoke current Api Token
#6

How to revoke current api_token in Adonis 4?


#7

Have you read the documentation and the link provided above? @ahmadarif


#8

Yes I have, but it is revoke all token for the user. How to revoke just one token? @romain.lanz
#Adonis4


#9

Maybe use the model directly to do it? What you need is the user id and the token to revoke it.

Assuming you have the access to the user instance from the auth object.

const user = auth.current.user
const token = auth.getAuthHeader()

await user
.tokens()
.where('token', token)
.update({ is_revoked: true })

#10

Also I have added a small example in the docs too http://adonisjs.com/docs/4.0/authentication#_revoking_tokens


#11

I just knew, const user = auth.current.user and auth.getAuthHeader() is available in Adonis 4, thanks for information so I don’t need to use a way const user = await auth.authenticator('api').getUser() :slight_smile:

await user
    .tokens()
    .where('token', token)
    .update({ is_revoked: true })

But, this is not work to revoke the token.


#12

This is my code, generate token using authenticator.generate(user). So the token is not equals with the auth header.


#13

Sorry, this problem has been solved.
I have read this link, so the token must decrypt first before query update., my bad.

Thanks for the great framework and the response :slight_smile:


#14

Yeah lemme see if I can add these methods directly on the auth instance, that’ll be more convenient


#15

working revoked in logout method


#16

Your code will revoke all tokens, not revoke one token only.
@renztoygwapo