revokeRefreshToken method

Future<bool> revokeRefreshToken(Session session, { required UuidValue refreshTokenId, Transaction? transaction, })

Revokes a specific refresh token.

This does not affect the user's other authentications. Returns true if the token was found and deleted, false otherwise.

Any access tokens associated with this refresh token will continue to work until they expire.

Automatically registers authentication revocation via session.messages.authenticationRevoked when the token is deleted. If this behavior is not desired, use JwtAdmin.deleteRefreshTokens instead.

Implementation

Future<bool> revokeRefreshToken(
  final Session session, {
  required final UuidValue refreshTokenId,
  final Transaction? transaction,
}) async {
  final refreshToken = (await admin.deleteRefreshTokens(
    session,
    refreshTokenId: refreshTokenId,
    transaction: transaction,
  )).firstOrNull;

  if (refreshToken == null) {
    return false;
  }

  // Notify the client about the revoked authentication for the specific
  // refresh token.
  await session.messages.authenticationRevoked(
    refreshToken.authUserId.uuid,
    RevokedAuthenticationAuthId(authId: refreshTokenId.toString()),
  );

  return true;
}