After logging out user, old token is still valid?

Hello!

I’m trying to understand how the “logout” feature of the Admin SDK works. This is my scenario:

User logs in and is given a token. In the backend, I call token.validate(didToken), which succeeds. I decode the token using const [proof, claim] = mAdmin.token.decode(didToken), and ensure claim.iss is saved in my backend. All good so far.

Then, I call users.logoutByIssuer(issuer) using the issuer I saved previously. Everything goes well - nothing is thrown.

At this point, I’d expect the previous token to be revoked, thus not being valid anymore. However, when running token.validate(didToken) on the same token as before, it looks like that isn’t the case; it still succeeds like before - despite having logged out the user in the mean time.

What am I missing here? Can you please clarify how this works?

2 Likes

After some more testing, I see that the Client SDKs in fact notices that the user was signed out, and isLoggedIn() will return false. However, from the looks of it, the client could still just use the same token and contact our backend directly - where the Admin SDK still evaluates the token as being valid.

1 Like

Hi Hogne!

You’re right; if token.validate(didToken) isn’t thrown, it means the DID token is valid. However, the DID token and user session with Magic aren’t tied together.

For example, when a user logs in, they are authenticated with magic for 7 days, but the DID token that gets returned from loginWithMagicLink() is only valid for 15 minutes. The validate function just ensures that the DID token hasn’t expired and that it was signed by the owner of the private key of the public address that generated it.

Wondering how soon you validated the DID token after you logged the user out?

Alright, makes sense. I definitely validated it before 15 minutes had passed, so that explains it - I missed the fact that it wasn’t tied to the session. The limited validity of the loginWithMagicLink() makes this a non-issue then I suppose :slight_smile: Thank you for clarifying.

1 Like