Delete refresh tokens from the user profile page

Created on 15 March 2018, about 7 years ago
Updated 26 February 2025, about 1 month ago

Hi,

When a refresh token is created, the user it's linked to is unkown and in the database 'auth_user_id' is 0 (annonymous).
I've spend some time trying different things but I cannot find a way how to delete someone's refresh token. I have a button on a users account page to revoke all tokens, this works for the auth_code and access_tokens but not the refresh token. Which mean they can just request a new access_token.

How can I remove a specific user's refresh token when there is no link to any uid? I know the information is inside the refresh_token but I can't decrypt it outside of the simple_oauth module. The use case is when a users phone is stolen, we need to force the user to login again.

SanderJP

Feature request
Status

Closed: duplicate

Version

5.0

Component

Code

Created by

🇳🇱Netherlands SanderJP

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Production build 0.71.5 2024