BA
Better Auth•2w ago
Duki

Not all sessions are revoked when deleting a user

So when I have the same user logged-in in 2 different browser and delete them in one browser, the other browser still has a valid session.
3 Replies
Duki
DukiOP•2w ago
For context, I use a secondary storage, so perhaps that is something that interferes? I tried to workaround this in several ways via an after hook on the /delete-user/callback, but none of them have worked. - auth.api.listSessions({ headers }) gives me an empty array - auth.api.revokeSessions({ headers }) succeeds but the other session is still running - await ctx.context.internalAdapter.deleteSessions(user.id) doesn't help either What am I missing? For some reason the session in my secondary storage is not deleted 🤔 but why? In the implementation I can see that ctx.context.internalAdapter.deleteSessions(session.user.id) is called and theoretically it should find all the sessions and delete them, but in my redis DB I can see that the active-session-{userId} entry is removed, the initating browser's session entry is removed too, but the session from the other browser is still there 🫣 OH I THINK I GOT IT!!! In the /delete-user and /delete-user/callback the following functions are called: 
await ctx.context.internalAdapter.deleteUser(session.user.id);
await ctx.context.internalAdapter.deleteSessions(session.user.id);
await ctx.context.internalAdapter.deleteAccounts(session.user.id);
await ctx.context.internalAdapter.deleteUser(session.user.id);
await ctx.context.internalAdapter.deleteSessions(session.user.id);
await ctx.context.internalAdapter.deleteAccounts(session.user.id);
and the culprit that breaks everything is deleteUser! For some reason it deletes the active-sessions-{userId} key in the secondaryStorage. 
if (secondaryStorage) {
  await secondaryStorage.delete(`active-sessions-${userId}`);
}
if (secondaryStorage) {
  await secondaryStorage.delete(`active-sessions-${userId}`);
}
This then causes deleteSessions not being able to find the active sessions! imo deleteUser does way too much. It doesnt only delete the user, it also deletes sessions and accounts, which the other two - deleteSessions and deleteAccounts - should be responsible for 🤔
Duki
DukiOP•2w ago
Created an issue for this: https://github.com/better-auth/better-auth/issues/3882
GitHub
Sessions not deleted properly when deleting user · Issue #3882 · ...
Is this suited for github? Yes, this is suited for github To Reproduce Create a user open 2 browser and log in with the same user delete the user in one browser the user in the other browser still ...
Duki
DukiOP•2w ago
Created a PR here https://github.com/better-auth/better-auth/pull/3885#issuecomment-3168436567
GitHub
fix: prematurely deleting active sessions in secondary storage by D...
fixes #3882 For context, see: https://discord.com/channels/1288403910284935179/1403382349718229022 Summary by cubic Stopped deleting active sessions from secondary storage when removing a user to...

Did you find this page helpful?