Default behaviour of signOut is unconventional, and needs a bigger warning #1608
Description
Improve documentation
Link
https://supabase.com/docs/guides/auth/signout
Describe the problem
Been working with many auth libraries over the years, and signOut is a function you don't necessarily spend much time reading up about, the definition is pretty universal – revoke current user session.
That is, except for Supabase it seems, where the default definition is – revoke all sessions for this user globally.
It's very rare that when a user signs out, they want to be signed out from all devices by default, globally. Imagine using a shared device and logging out there causing you to log out from all of your personal devices as well.
It's especially tricky to offer a good UX by default with this approach with JWTs, unless you offer a mechanism to invalidate active access_tokens as well. Imagine logging out from one device and being logged in on another for another half an our, only to be logged out randomly half an hour later mid (active user) session for an unknown reason (both to developers as well as users themselves at that time). Hence, the UX is too poor for this to be a default behaviour for a signOut.
Describe the improvement
Add a big fat red warning about this, and potentially change the behaviour in the next major release.
And at the very least, better error names than refresh token not found could be useful – e.g. refresh token has been revoked.
Additional context
We spent days if not weeks trying to chase the reason why we're getting "randomly" signed out on our desktop and mobile apps, and the root cause was signOut: supabase/ssr#68 (comment)