How can I reset / remove token from user?

[richard-313]

Hi,
I want only one user can use the token. If the same user wants to connect on another device, he has to relogin on this new device. I thought, I can do it, by reset or remove all user related token, when user login?

[dominic-ks]

Hello, @s72817,

Have you tried using the device parameter when requesting a token (I think) this can be validated in subsequent calls, maybe @pesseba can confirm?

[richard-313]

Hi @dominic-ks thanks for your reply.
I think devices are designed for parallel use:

"This means that a refresh token cannot be shared. To allow multiple devices to authenticate in parallel without losing access after another device re-authenticated, use the parameter device with the device identifier to associate the refresh token only with that device."

I think, the (only) possible way is, to immediately creating refresh token after login.

[pesseba]

Hi @dominic-ks and @s72817 there is a way to block all tokens. This feature happens when user reset their password. The function that do this is private block_all_tokens( $user_id ) in Devices, but you can call the callback for password reset (it will call the block_all_tokens):

$user = get_user_by('id', 26 ); //get the user you want...
$devices = new \JWTAuth \Devices();
$devices->after_password_reset($user, '');