invalidateTokens method
Invalidates tokens according to the strategy
context Context containing necessary information for invalidation
This could include access token, refresh token, user ID, etc.
Implementation
@override
Future<void> invalidateTokens(TokenInvalidationContext context) async {
// For stateless tokens (JWT), blacklist the access token
if (context.accessToken != null && context.tokenExpiry != null) {
final blacklistData = {
'token': context.accessToken!,
'tokenable_id': context.userId,
'guard': context.guard,
'type': 'blacklist',
'created_at': DateTime.now().toIso8601String(),
'expires_at': DateTime.fromMillisecondsSinceEpoch(
context.tokenExpiry! * 1000,
).toIso8601String(),
};
await _tokenService.blacklistToken(blacklistData);
// For JWT, find and remove the associated refresh token using session correlation
final sessionId = context.metadata?['session_id'] as String?;
if (sessionId != null) {
// Use session ID to find the exact refresh token for this session
final sessionTokens = await _tokenService.findTokensBySession(
sessionId,
context.guard,
'refresh',
);
// Remove the refresh token for this specific session
for (final tokenData in sessionTokens) {
final token = tokenData['token'] as String?;
if (token != null) {
await _tokenService.deleteToken(token);
}
}
}
// Fallback: If no session ID, use the provided refresh token
else if (context.refreshToken != null) {
await _tokenService.deleteToken(context.refreshToken!);
}
}
// For stateful tokens, simply delete the access token
else if (context.accessToken != null) {
await _tokenService.deleteToken(context.accessToken!);
}
}