Authentication / Manage Devices
Opened this issue · 0 comments
Brief
Allow to keep track on a device user are using to consume service.
As a device I mean an authenticated session of access to the service (unique pair of access_token and refresh_token) with a combination of device_id.
Would be good to have a uniqueness of device and generate device_id by some unique parameters (to investigate).
Features
- User must be able to see devices they used to login. Including device details (UA, last used date time, expired at date time device type, model, location).
- User must be able to remove (logout) particular device, or logout all devices except current.
Implementation
API
Create new table to store authentication details:
- user_id
- device_id
- access_token
- refresh_token
- meta
Store details into this table on each successful login. Keep device_id+user_id unique.
Update details in this table on each successful refresh.
Remove details from this table on each logout.
This table should not be used to authenticate user as we're using JWT so correct signature is still a reason to consider successful authentication. We'll add tokens blacklist later to allow to block particular device.
UI
Implement collecting needle details to generate device ID.
Create new section on Settings / Security and display a list of devices by pointing to a current device.
Add a button to logout particular device or logout all device except current by sending API call. Need to implement token blacklist first.