#convex auth - can i forcefully sign out everyone in our service?

4 messages · Page 1 of 1 (latest)

static gyro
#

Due to some problem on my code before, I want everyone to forcefully signout to our service, so that they need to signin again in order to use service. do you have any idea?

full raftBOT
#

Hi @static gyro. I'm kapa.ai, your friendly support bot. I will try to answer your question by searching through the knowledge base. :wave:

#

Yes, you can forcefully sign out all users in your Convex service by invalidating their sessions. Based on the knowledge sources, there are a couple of approaches you can take:

Invalidate Sessions

You can use the invalidateSessions method from the Convex Auth API to invalidate user sessions. When a session is invalidated, the user will need to sign in again to create a new valid session.

As mentioned in the documentation:

When an existing session is invalidated (deleted), the user is not automatically signed out until the JWT expires.
Auth Advanced Details

This means that after invalidating sessions, users won't be immediately signed out - they'll be signed out when their JWT token expires or when your application detects the invalid session.

Detecting Invalid Sessions

To force immediate sign-out, you'll need to:

  1. Create a query that checks if the user's session is valid
  2. Have your client respond to invalid sessions by calling signOut()

A community member shared a diff showing how to implement this approach:
GitHub Gist

The basic idea is to modify your code to check for session validity and trigger a sign-out when the session is invalid.

Implementation Example

You could create a query that checks for session validity and have your client call this query regularly. When the query indicates the session is invalid, call signOut() on the client side.

For a more immediate approach, you could:

  1. Delete all sessions from your database
  2. Implement the session validity check in all your authenticated queries/mutations
  3. Have your client respond to session invalidity errors by calling signOut()
#

This way, as soon as users try to perform any authenticated action, they'll be signed out if their session has been invalidated.

Note that there isn't a single "sign everyone out" button in Convex Auth, but by combining session invalidation with client-side detection, you can achieve the desired result.

Note: you can ask me a follow up question by @ mentioning me again :speech_balloon: