Ability to force-logout users via API

[sistason]

API Endpoint or Feature

The endpoint should be able to terminate all active sessions of a user.

Use-Case

We are using Bookstack with OIDC, and when we deactivate users in our SSO, they still have an active session in Bookstack and can fully used it for a few hours.

Additional context

We don't want to delete users instantly and Bookstack users dont have a deactivated attribute, so deleting all sessions and preventing login is probably the closest thing we can do in that regard, right?

Is there already a way to programmatically revoke user sessions like that, or do "deactivation" in some other way?

[ssddanbrown]

Thanks for the request @sistason.
Right now we don't have a great way to track/manage/invalidate sessions in general.
That is something I'd like to implement at some point within the UI for admin users (after which it would make sense to add it as an API availability). Just need to find the right time to revamp that system.

[timhallmann]

In the meantime, for OIDC specifically, it's possible via the logical theme system. A while ago, I wrote an extension that implements both Backchannel Logout and an automatic logout once the Access Token expires and it can't be refreshed via a Refresh Token.

Depending on your OIDC Provider, you can either log users out via Backchannel Logout or simply wait for their Access Token to expire.

@ssddanbrown I didn't think of it before, but would this be something you'd consider adding as a BookStack Hack?