[Feature] Logout Everywhere/ Destroy Sessions Button

[elevatorz89]

Is your feature request related to a problem? Please describe. Technically, this could be filed as a preventative security measure. I use quite a few devices but have hardly any idea what browsers are authenticated into Crypt.ee. Others might log into a public device but forget to log out, hence the security "issue".

Describe the solution you'd like A simple "Logout Everywhere" button in the security tab of the settings, maybe with a conformation to make it idiot-proof.

[johnozbay]

This is a really good idea! 👏🏻 I'll try to add this button for the account settings window for the next release.

While there isn't a button for it, you can already do this by going through the "forgot password" flow. But first some mandatory information, before you go through this flow.

Simply put the way our auth works is that, once authenticated for the first time on a device, the device gets a refresh token from the server, and keeps this in memory as long as you stay logged in on that device. Then every time you open the app, the refresh token is traded for an authentication token. Long story short, authentication tokens are short lived, ranging from 5min - 24hrs max (very often 5min - 10mins), but refresh tokens last until you sign out on a device.

When you go through the forgot password flow, this flow invalidates the refresh tokens of all devices on the server. Since your password changed, you'll need a new refresh token on each device.

Couple caveats.

1. Needless to say but since there's no way to log devices out if they're not connected to the internet. Devices will only be force logged out, next time when the app is launched, when it tries to trade the refresh token for a new authentication token. (So you can't log out a device in the background if the app's not open – but it'll log out as soon as it's launched)

Why is this important?

• If the other device has off-line documents, until it's logged out theoretically someone with proper technical skills and access to the device's disk storage can extract your offline documents. (all of which are encrypted with your key by the way, so your documents are safe, but still a heads up for the sake of it, in case if you're Snowden 🧐)

• Force-log-out triggers all the standard features of the sign out flow on the device, which means wiping all stored data from the device = deleting offline documents as well. So if you force all devices to log out, then later remember your office desktop had this one offline document you desperately need next day in the office, it's too late. This will be wiped as soon as the device tries to get a new token as well.

2. Cryptee doesn't actually know / track how many of your other sessions are 'active'. This would require logging device information like (browser name, os name, device name etc) and more importantly an IP address. I'm pretty sure our users would riot if we added this (even optionally) – Because of this, we can't really add a fancy "active sessions" view with a map etc like most web services, social networks etc have. So this log out on all devices button won't be able to show how many other devices / sessions are logged in.

3. Because of 2 This button won't be able to function like : "log out from all other devices except this one". Server doesn't know which is which. It'll log you out from the device you press the button as well. – I'm going to see if we can solve this by sending the first/last 4 digits of the trigger device's refresh token, and use an exception for that on the server side. If we could do this in a security-conscious manner, then you can disregard this warning point.

Hoping these make sense. Let me know if you can think of different scenarios / different solutions etc. I'd be happy to incorporate more feedback into this. ✌🏻

Thanks a lot for this fantastic idea.