Logout everywhere
A controller that revokes every active session for the current user. Useful for the “I lost my phone” button on the account-security page.
import { authService } from "@warlock.js/auth";import type { Request, Response } from "@warlock.js/core";
export async function logoutEverywhereController(request: Request, response: Response) { await authService.revokeAllTokens(request.user!);
return response.success({ message: "Logged out from every device" });}Wire it behind required auth:
import { authMiddleware } from "@warlock.js/auth";import { router } from "@warlock.js/core";import { logoutEverywhereController } from "./controllers/logout-everywhere.controller";
router.post("/account/logout-everywhere", logoutEverywhereController, { middleware: [authMiddleware([])],});What revokeAllTokens does, end to end:
- Find every non-revoked refresh token for the user.
- Call
.revoke()on each (setsrevoked_at = now()). - Fire
token.revokedper token. - Delete every access-token row for the user.
- Fire
logout.allonce.
After this returns, every other client holding any token for this user gets a 401 on its next request — refresh attempts hit the revoked-token branch and return null.
Confirm with the current password first
Section titled “Confirm with the current password first”If the button isn’t behind a recent-login window, gate it with a password confirmation:
export async function logoutEverywhereController(request: Request, response: Response) { const user = request.user!; const ok = await user.confirmPassword(request.input("currentPassword"));
if (!ok) { return response.unauthorized({ error: "Wrong password" }); }
await authService.revokeAllTokens(user);
return response.success({ message: "Logged out from every device" });}confirmPassword is the instance-method form of verifyPassword against the user’s stored hash.
Related
Section titled “Related”- Handle login and logout — single-device logout.
- Manage tokens — the full revocation surface.
- List active sessions — show the user what’s about to get revoked.