I am using Laravel 5.3 and Passport for APIs.
My scenario, I want to allow only single user access to my api. If a user tries to access the api from a different device, the previous device should automatically get logged out or the tokens associated to that device shall get invalidate.
I could simply mark revoke = 1 in the database, but it will leave lots of redundant tokens in the table and eventually slow the login api as it has to go through each access_token entry and mark revoke. I have tested this hypothesis and is correct.
What I have implemented is, while listening to new token generation, I would delete the existing access and refresh token from the database. But my problem is, the old refresh token is still valid and can be used to generate new set of access and resfresh tokens. Am I missing here something or this is how the Library is designed to work?
Any help on this or alternate approach will be much appreciated.
Thank you :)
I think that's flow, same thing in my experience Easiest is to set the token lifetime after another token generate
Passport::tokensExpireIn(now()->addDays(15));