Skip to content

feat(clerk-js): Role change session revocation #6815

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 2 commits into from
Closed

feat(clerk-js): Role change session revocation #6815

wants to merge 2 commits into from

Conversation

YektaRoustaei
Copy link

Description

This PR ensures that when a user’s role is updated in the dashboard, all active sessions for that user are automatically revoked.

Previously, role changes did not revoke live sessions, which caused stale permission data to remain cached in active sessions. This led to UI inconsistencies and, more critically, potential security issues — for example, a downgraded user could still retain elevated access until their session expired.

By revoking all sessions immediately upon role change:

🚫 Eliminates cache bugs caused by outdated role/permission data.

🔒 Ensures that security updates take effect instantly across all devices.

🎛️ Preserves existing error handling and UI feedback patterns, with added visual indication during the revocation process.

How to Test

Assign a role to a user.

Log in with that user on multiple devices/tabs.

Change the user’s role in the dashboard.

Verify that all existing sessions are revoked and the user is prompted to log in again.

Confirm that the new role/permissions are applied correctly after reauthentication.

@YektaRoustaei
feat: add session revocation on role change
fb86a37 
- Automatically revoke all user sessions when role is changed
- Prevents cache issues with stale permissions
- Adds visual feedback during session revocation process
- Ensures immediate security updates when roles change
- Maintains existing error handling and UI patterns
@YektaRoustaei
refactor: remove visual feedback, keep automatic session revocation
9f5c9be 
- Removed useState import and revokingSessionsFor state
- Removed visual feedback UI (Revoking sessions... indicator)
- Simplified handleRoleChange function
- Kept automatic session revocation functionality
- Cleaner implementation without visual changes
@changeset-bot changeset-bot
Copy link

changeset-bot bot commented Sep 19, 2025

⚠️ No Changeset found

Latest commit: 9f5c9be

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@vercel Vercel
Copy link

vercel bot commented Sep 19, 2025

@YektaRoustaei is attempting to deploy a commit to the Clerk Production Team on Vercel.

A member of the Team first needs to authorize it.

@YektaRoustaei
Copy link
Author

@tmilewski

@tmilewski tmilewski changed the title Feature/role change session revocation feat(clerk-js): Role change session revocation Sep 19, 2025
@tmilewski
Copy link
Member

@YektaRoustaei Thank you! I'm going to ping @panteliselef as it'll be better that he reviews this.

@panteliselef
Copy link
Member

panteliselef commented Sep 19, 2025
edited
Loading

@YektaRoustaei there are no Clerk.client.sessions.getUserSessions() and Clerk.client.sessions.revokeSession methods.

@panteliselef
Copy link
Member

This PR seems to be using methods that are non existent in our JS SDK, also the logic seems to be flawed and attempting to fix a problem that is not well defined. Feel free to open a new PR in the future.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@panteliselef panteliselef Awaiting requested review from panteliselef

Assignees
No one assigned
Labels
clerk-js
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@YektaRoustaei @tmilewski @panteliselef @clerk-cookie