revokeToken method
Revokes a specific token by its ID.
If the tokenId doesn't exist, the operation completes without error.
If tokenIssuer is provided, only tokens from that specific token manager will be revoked.
Implementation
@override
Future<void> revokeToken(
final Session session, {
required final String tokenId,
final Transaction? transaction,
final String? tokenIssuer,
}) async {
if (_isNotTargetedTokenIssuer(tokenIssuer)) {
return;
}
final UuidValue refreshTokenId;
try {
refreshTokenId = UuidValue.withValidation(tokenId);
} catch (e) {
// Silence if the tokenId is not a valid UUID which can happen when
// interacting with multiple token managers.
return;
}
final deletedRefreshToken = await jwt.admin.deleteRefreshTokens(
session,
refreshTokenId: refreshTokenId,
transaction: transaction,
);
if (deletedRefreshToken.isEmpty) return;
if (deletedRefreshToken.length != 1) {
throw StateError(
'Expected 1 refresh token to be deleted, but got ${deletedRefreshToken.length}',
);
}
final (:authUserId, refreshTokenId: _) = deletedRefreshToken.first;
await session.messages.authenticationRevoked(
authUserId.uuid,
RevokedAuthenticationAuthId(authId: refreshTokenId.uuid),
);
}