Delete grants on post password change

shafty023 · October 31, 2024, 2:04pm

I am trying to write a custom action that upon a user changing their password, will delete any existing grants and device credentials. I’ve gone through the password change flow and I’m not seeing any logs showing up. I’m not sure if I wrote this correctly. Can anyone help? I’ve tried running the action manually but this type of thing can’t be tested through the run method.

exports.onExecutePostChangePassword = async (event, api) => {
  const { ManagementClient } = require("auth0");
  const { DOMAIN, CLIENT_ID, CLIENT_SECRET } = event.secrets || {};
  const management = new ManagementClient({
    domain: DOMAIN,
    clientId: CLIENT_ID,
    clientSecret: CLIENT_SECRET,
    scope: 'read:grants delete:grants read:device_credentials delete:device_credentials'
  });
  try {
    // Delete all grants
    const grantManager = management.grants;
    const grants = await grantManager.getAll({ user_id: event.user.user_id });
    if (Array.isArray(grants)) {
      for (const grant of grants) {
        await grantManager.deleteByUserId({ user_id: event.user.user_id })
      }
      console.log(`Successfully deleted grants for user ${event.user.user_id}`);
    } else {
      console.log("No grants found");
    }
  } catch (error) {
    console.error(`Error deleting grants for user ${event.user.user_id}:`, error);
    // Optionally, throw an error
    // throw new Error('Failed to revoke user sessions.');
  }
  try {
    // Delete all device credentials (refresh tokens)
    const deviceCredentialsManager = management.deviceCredentials;
    const deviceCredentials = await deviceCredentialsManager.getAll({
      user_id: event.user.user_id,
      type: 'refresh_token'
    });
    if (Array.isArray(deviceCredentials)) {
      for (const deviceCredential of deviceCredentials) {
        await deviceCredentialsManager.delete({ id: deviceCredential.id})
      }
      console.log(`Successfully deleted device credentials for user ${event.user.user_id}`);
    } else {
      console.log("No device credentials found");
    }
  } catch (error) {
    console.error(`Error deleting device credentials for user ${event.user.user_id}:`, error);
    // Optionally, throw an error
    // throw new Error('Failed to revoke user device credentials.');
  }
};

Topic		Replies	Views
Is there a way to access user management api from a post-password-change action? Help	3	3381	July 29, 2021
Revoke Refresh Tokens when a User Changes or Reset Password after Account Compromise Knowledge Articles password-reset , refresh-tokens , revoke	1	30	October 31, 2024
DELETE /api/v2/device-credentials/{id} for revoking refresh token same behaviour than /oauth/revoke? Help api	1	4162	June 11, 2020
Updating user metadata on password change Help user-profile , user-management	2	988	October 27, 2023
Can't add password grant type from Management API Help bug	3	3211	April 30, 2020

Delete grants on post password change

Related Topics