You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I would like to propose the addition of a feature in GoTrue similar to the SecurityStamp functionality available in ASP.NET Core Identity.
Background:
In ASP.NET Core Identity, the SecurityStamp is used to invalidate all active authentication sessions for a user. This is achieved by updating the SecurityStamp whenever a significant change occurs to the user's account, such as a password reset or a role update. When the SecurityStamp is updated, all active tokens associated with the user become invalid, ensuring that any unauthorized sessions are terminated.
Currently, GoTrue does not provide a built-in mechanism to achieve this behavior. While JWT tokens can be expired based on the exp claim, there is no way to immediately invalidate tokens or force a user to log out across all sessions.
Proposed Feature:
Introduce a SecurityStamp or equivalent identifier stored in the user's metadata or database record.
Update the SecurityStamp whenever critical user information is modified (e.g., password reset, role change).
Extend the token validation process to check the SecurityStamp value, ensuring it matches the value stored on the server.
Provide an API endpoint or admin tool to manually update the SecurityStamp for a user.
Benefits:
Enhanced security: Administrators can forcibly log out users across all devices if needed.
Better account management: Ensures that account changes (e.g., password resets) take immediate effect on all active sessions.
Aligns GoTrue's functionality with other identity management systems.
The text was updated successfully, but these errors were encountered:
I would like to propose the addition of a feature in GoTrue similar to the SecurityStamp functionality available in ASP.NET Core Identity.
Background:
In ASP.NET Core Identity, the
SecurityStampis used to invalidate all active authentication sessions for a user. This is achieved by updating theSecurityStampwhenever a significant change occurs to the user's account, such as a password reset or a role update. When theSecurityStampis updated, all active tokens associated with the user become invalid, ensuring that any unauthorized sessions are terminated.Currently, GoTrue does not provide a built-in mechanism to achieve this behavior. While JWT tokens can be expired based on the
expclaim, there is no way to immediately invalidate tokens or force a user to log out across all sessions.Proposed Feature:
SecurityStampor equivalent identifier stored in the user's metadata or database record.SecurityStampwhenever critical user information is modified (e.g., password reset, role change).SecurityStampvalue, ensuring it matches the value stored on the server.SecurityStampfor a user.Benefits:
The text was updated successfully, but these errors were encountered: