Skip to content

Auth: explicit session invalidation

Created by: beyang

Provide an explicit session invalidation mechanism for Sourcegraph.

Currently, sessions are invalidated after they expire (configurable via the auth.sessionExpiry option) or on user sign-out. Proposal is to also enable explicit session invalidation in the following scenarios:

  • An admin manually invalidates all sessions for a given user.
  • A user's existing sessions are invalidated after successful password reset or password change under built-in auth.
  • Session is not cleaned up after user log out (added by @unkwon)