Struggling with figuring this one out on my own!
We have a free and premium options on our site which is defined by roles on what can be accessed. We think that some users might be sharing their identity logins that have premium accounts to other users. It seems as if a single account can currently be logged in on multiple devices at the same time.
Is there a way to avoid this?
Thanks so much for reading!
Here is a bit of an overview
- Nuxt Vue static site
- Netlify identity enabled
- Stripe handling payments
- Firebase database
- Netliify site: detready.netlify.app
While it’s somewhat possible to “block” the login, I believe that’s not the user experience you’d like to have. If that’s what you’re looking for, consider the situation in which user genuinely wishes to change the device, they’d have to contact you to reset their logged in devices list and access their account. If that’s what you’re looking for, let me know so I can share the solution. But, if you simply wish to log the user out from other devices, this doesn’t seem possible. I tried various things to try to get this to work, but there’s simply no way that I can think of to invalidate the previous token.
Here’s what I thought could work:
A user logs in → You trigger the
identity-login or any custom function → in the
app_metadata object of the user, you can set something like
login: 1, and once they login from somewhere else, you can simply increment it. I thought this would invalidate the previous JWT as the encoding now changed, however, the Identity Widget is “not notified” of this updated JWT. It continues to use the previous token as that successfully decodes too.
If this is what you wanted, I don’t actually see a point as, as long as the user has the password, they can simply login and invalidate the previous device and this will go on. So, if you really wish to block the login attempt entirely, let me know so I can walk you through it, but according to me, that’s a bad user experience. This is what keeps big OTT platforms from preventing users from sharing accounts too, I believe. They could block the login attempt, but that would increase the load on the support team to unblock genuine requests and if they invalidate the other device, the user can simply re-enter the password and this game would go on.
Thank’s for the time taken to respond to this with your knowledge. Sadly the following was what I had in mind:
But, if you simply wish to log the user out from other devices, this doesn’t seem possible. I tried various things to try to get this to work, but there’s simply no way that I can think of to invalidate the previous token.
Back to the drawing board again I think!