Is there a way to force a mass logout?

(Juan Manuel Formoso) #1

I recently updated my internal instance to use SSO, and I want to force all users to re-login to validate their accounts against the other system.

Can I force every user to logout or is the only way to do it one by one?

(Sam Saffron) #2

yeah, you would have to update the authtoken to nil on the users table.

(Kane York) #3
./launcher enter app
rails c

(Julian Somoza) #4

ERROR: column “auth_token” of relation “users” does not exist

(Felix Freiberger) #5

Try this:

User.all.each { |u|

(Taken from here.)

(Julian Somoza) #6

The command is executed fine but the user is not logged out…

(Felix Freiberger) #7

Argh, too bad, thanks for trying. In that case, I’ll have to update my scripts soon and am out of ideas for now. Maybe @riking can update his instructions?

(Jeff Atwood) #8

Any comments here @sam? This would also be duplicated on the “my Discourse was compromised” topic.

(Sam Saffron) #9

UserAuthToken.destroy_all would do the trick, you also would want to revoke api keys so that is 2 additional tables to nuke, ApiKey and UserApiKey.

How to log out all members?
(Vaishak Kallore) #10

This works like a charm… :slight_smile:

When this is run, except the master admin (first admin), all other accounts gets logged out. Fair enough.

Just to know, why the first admin account is not getting logged out? Is it expected? @sam

(Sam Saffron) #11

Everything should be logged out, my guess is that you forgot to refresh your page.

(Vaishak Kallore) #12

Oh I see, I think I got it… We have forum access only with SSO, and in my computer SSO server session should have already expired and his was active. On page refresh, browser redirected to SSO server and saw the active session, as forum redirected URL included SSO login information in the URL, it got validated and took the admin back to forum :slight_smile:

(Sam Saffron) #13

Totally, I have been thrown off that kind of stuff before as well, it happens too fast to notice.

(Sam Saffron) #14