Support revoking the session inside the refreshSession override

Question

Support revoking the session inside the refreshSession override

Opened this issue a year ago · 1 comments

Currently if you revoke the session in a refreshSession function override it still returns 200 and sets the session tokens in the response, while doing the same in the API override will not set the tokens.
This is because the session object doesn't save the fact that it has been revoked and the default API impl can set the tokens in the response.

If the user wants to deny refreshing the session they should throw an UNAUTHORISED error after revoking the session.

Internal discussions: https://supertokens.slack.com/archives/C03J31QAQLC/p1699977428029849
Summary: this can be fixed by making revokeSession save the "revocation" on the session object and to make attachSession.. and the refreshSession API impl handle it appropriately. Although the current impl is not ideal, we decided to postpone fixing, since there is a straightforward "workaround" and it's a rare use-case anyway.

Answer 1 · 2023-11-16T12:08:06.000Z

This can also be achieved by overriding the api layer instead of the functions layer, and revoking the session after calling the original implementation of the refresh API.