Skip to content

fix(auth): Revoke all workspace sessions on logout #8288

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
stack72 wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

fix(auth): Revoke all workspace sessions on logout #8288

stack72 wants to merge 1 commit into from
+34 −9

Conversation

@stack72
Copy link
Contributor

@stack72 stack72 commented Jan 15, 2026

Updates logout behavior to revoke all web session tokens for a workspace (not just the current session) and hides web session tokens from the API Tokens management page. Fixes multi-session logout behavior where users expect "logout" to end all active sessions for a workspace, not just the current tab.

With the initial secure bearer tokens implementation:

  • ❌ Logout only revoked the specific token from the current tab
  • ❌ Other tabs/sessions remained active after logout (zombie sessions)

Logout Now Revokes All Sessions

When a user logs out from a workspace:

  1. Revokes all web session tokens for that user+workspace combination
  2. Other tabs get 401 on next request and auto-logout
  3. Clean session termination across all tabs/devices

Why this is correct:

  • Matches user expectation ("logout" = "end my session completely")
  • Consistent with other apps (Gmail, GitHub, Slack)
  • Security-conscious: prevents zombie sessions
  • Multi-tab support during active use, clean break on logout

Multi-Session Behavior

During Active Use (Multiple Tabs):

Tab 1: Working in workspace
Tab 2: Click workspace link
→ New token created for Tab 2
→ Tab 1's token NOT revoked
→ Both tabs work independently ✅

On Logout (Global Termination):

Tab 1: Clicks logout
→ All web tokens for user+workspace revoked
→ Tab 1 redirects to login
→ Tab 2 next request → 401
→ Tab 2 auto-logout via 401 interceptor
→ Clean session end across all tabs ✅

Token Accumulation

Multiple sessions are allowed and expected:

  • Users can open workspace in multiple tabs/devices
  • Each session gets its own token
  • All tokens validated on every request
  • Tokens expire in 30 days automatically
  • Logout revokes all sessions for clean termination

This is NOT a security issue because:

  • Each token individually validated against database
  • All tokens have 30-day expiration
  • Revocation check on every request
  • Logout provides global revocation option
  • Similar to GitHub, Gmail, Slack session management

@stack72
fix(auth): Revoke all workspace sessions on logout
9bb1a89 
Updates logout behavior to revoke all web session tokens for a workspace (not just the current session) and hides web session tokens from the API Tokens management page. Fixes multi-session logout behavior where users expect "logout" to end all active sessions for a workspace, not just the current tab.

With the initial secure bearer tokens implementation:
- ❌ Logout only revoked the specific token from the current tab
- ❌ Other tabs/sessions remained active after logout (zombie sessions)

### Logout Now Revokes All Sessions

When a user logs out from a workspace:
1. Revokes **all web session tokens** for that user+workspace combination
2. Other tabs get 401 on next request and auto-logout
3. Clean session termination across all tabs/devices

**Why this is correct:**
- Matches user expectation ("logout" = "end my session completely")
- Consistent with other apps (Gmail, GitHub, Slack)
- Security-conscious: prevents zombie sessions
- Multi-tab support during active use, clean break on logout

### Multi-Session Behavior

During Active Use (Multiple Tabs):

Tab 1: Working in workspace
Tab 2: Click workspace link
→ New token created for Tab 2
→ Tab 1's token NOT revoked
→ Both tabs work independently ✅

On Logout (Global Termination):

Tab 1: Clicks logout
→ All web tokens for user+workspace revoked
→ Tab 1 redirects to login
→ Tab 2 next request → 401
→ Tab 2 auto-logout via 401 interceptor
→ Clean session end across all tabs ✅

Token Accumulation

Multiple sessions are allowed and expected:
- Users can open workspace in multiple tabs/devices
- Each session gets its own token
- All tokens validated on every request
- Tokens expire in 30 days automatically
- Logout revokes all sessions for clean termination

This is NOT a security issue because:
- Each token individually validated against database
- All tokens have 30-day expiration
- Revocation check on every request
- Logout provides global revocation option
- Similar to GitHub, Gmail, Slack session management
@github-actions
Copy link

github-actions bot commented Jan 15, 2026

Dependency Review

✅ No vulnerabilities or OpenSSF Scorecard issues found.

Scanned Files

None

@stack72 stack72 requested a review from jkeiser January 15, 2026 23:31
nickgerace
nickgerace approved these changes Jan 15, 2026
View reviewed changes
Copy link
Contributor

@nickgerace nickgerace left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great! Just one question.

@stack72 stack72 added this pull request to the merge queue Jan 16, 2026
@stack72 stack72 removed this pull request from the merge queue due to a manual request Jan 16, 2026
@stack72 stack72 marked this pull request as draft January 16, 2026 00:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nickgerace nickgerace nickgerace approved these changes

@jkeiser jkeiser Awaiting requested review from jkeiser

Assignees

No one assigned

Labels

A-auth

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@stack72 @nickgerace