Enforce single session per user behaviour

[Kiliusz]

So I paid for pro plan on supabase and checked this field "Enforce single session per user". But I'm still able to be logged with the same account on 2 different browsers at the same time.
My question is do I need to do anything else in order to loggout user from other device when same account is loggedin in different browser?

[GaryAustin1]

Users can stay logged in until their jwt expires. Default is on hour. There is no way for the Supabase server to notify the client to signout until a refresh of the jwt is done.

[macMikey]

you gotta two-stage it, because you can't easily revoke a jwt token in supabase.
you can:

• write your own auth flow (not my idea of a good time, but i've done it with other tools)
• write a pre-auth flow with ephemeral users (that's what i did) - this does not resolve the jwt life, but it does make it harder for a user to be logged into multiple devices at the same time, because they would have to share the ephemeral user credentials. you can use this idea with the one below, too.
• you can also lock the user out until the current jwt expires by setting auth.users.banned_until. this is a zulu timestamp field. this is compatible with the other ideas, above. what you would do is set up a cron job that will check auth.last_signin_at, and set the ban time, accordingly. locking them out does not revoke the jwt, it just keeps them from logging in, again, which solves the multiple login problem. to avoid inadvertently locking them out, you need to hang onto the jwt, somewhere, until it expires, in case they exit your app.