Just a security suggestion, seems like changing the password doesn't invalid the old session thus attackers can still have access to the account despite the owner changing their password.(edited)
The old session will expire automatically within an hour anyway. Since auth system is JWT based there is no easy way to expire existing session. It works in a same way as S3 presigned URL, it's valid until expire (no revocation mechanism).
We plan to switch to different auth provider or make significant changes in the existing one that we use. Related to: https://github.com/orgs/supabase/discussions/26864
With Supabase refresh token expires after 10s (default value) after reused, whilst seemingly secure it poses some challenges to reliably extend session without losing user session: supabase/auth-he...
Tom
The old session will expire automatically within an hour anyway. Since auth system is JWT based there is no easy way to expire existing session. It works in a same way as S3 presigned URL, it's valid until expire (no revocation mechanism).
We plan to switch to different auth provider or make significant changes in the existing one that we use. Related to: https://github.com/orgs/supabase/discussions/26864
