Help for auth sessions invalidation
Hiho! I am here to ask for guidance regarding how to invalidate user sessions. I found no option on auth.admin functions for this.
My scenario: user got subscription canceled. I archived user's plan in database, but I want user sessions to be updated. I have a custom auth hook function that is setting subscription data into the claims, but I want the session token to be refreshed immediately after subscription cancelled. Thanks for any suggestion 😄
5 Replies
There is no way to revoke or force a refresh of a JWT from the Supabase serverside.
You would need to have a table involved and check that with RLS or a DB function available that runs on every request.
You can revoke the user’s refresh tokens to force a re-login — that’s the cleanest way to invalidate sessions since there’s no direct session invalidation API. After revoking, the next request will trigger a new token with updated claims. I can help you set this up if you’d like.
That was not the question the op had. They are setting the claim in the JWT and want it to refresh right then. Killing the refresh token will not impact the current JWT and you have to wait for it to expire before it will refresh. Your idea would then logout the user, versus the OPs which would at least get back a new JWT just with out that subscription.
The database REST API also does not look at sessions and only the JWT.
One can certainly lower the window to 5 minutes or so with faster expire times.
Also @Chatox please do not give access to your instance to users you don't know. We have had some aggressive users here we have banned for constantly trying to help by asking for access to fix something.
If you're using the
ssr library, and depending on how you're setting the data, you might be able to call await supabase.auth.refreshSession() after your server call that sets the data; which will generate and store a new JWT with the updated claims.The thing is that the process that updates the plan will run separately from the user session. I have no direct way to communicate to the user. Cursor suggested to modify app_metadata on user record so the middleware is validating that flag and if needed force to relogin, but that would happen until token got expired so there is no real communication for saying. Anyway, my backend is synced up from supabase, so the "portal" can still be accessible without proper access yet the backend won't allow requests, as a last shot I will add an interceptor on the axios config to sign out users the moment they start sending unauthorized requests, thanks for the guidance here :supafire: