Logout all devices

[geolunalg]

Dependency

• Logout (single device) #2072
• Also need to get alignment with team & stakeholder that this feature is required.

Overview

As a user, I want to log out from all devices so I can secure my account if needed.

Action Items

Acceptance Criteria:

• Backend invalidates all refresh tokens for the user (or session family).
• All devices can no longer refresh; they must re-authenticate.
  • Frontend: Should simply redirect the user back to the login page (this should be handled by Logout (single device) #2072).

Resources/Instructions

• To be addressed after Logout (single device) #2072:
  • Tests should include logging in from two machines, then logging out from the second machine. After that, attempting to access a protected page on the first machine should redirect the user to the login page.
• This issue is part of the epic: EPIC: Authentication & Session Management (JWT + Refresh) #2065

[geolunalg]

@JackHaeg @trillium @rteas

This may be something we can hand over to other team members.

Backend:
Needs to invalidate all refresh tokens for a given user.

Frontend:
Should simply redirect the user back to the login page (this should be handled by #2072).

To be addressed after #2072:
Tests should include logging in from two machines, then logging out from the second machine. After that, attempting to access a protected page on the first machine should redirect the user to the login page.

This can be tabled or skipped.

[JackHaeg]

Not implementing now. Deprioritized