Auth: Detect and handle a revoked auth token. #9392
Comments
|
A user's auth token can also be revoked when their password is reset, which can be done by the user or for WordPress.com users may be done automatically for security purposes. See #10190 for more details about that case. It can be very confusing to experience a revoked auth token, especially if you didn't take the action to revoke the token, since there is no indication in the app of what's happened. |
|
This issue has been marked as stale because:
Please comment with an update if you believe this issue is still valid or if it can be closed. This issue will also be reviewed for validity and priority (cc @designsimply). |
|
@designsimply do you think this one might be worth adding to our Groundskeeping list? |
|
I'm going to add this to Groundskeeping because I think it's worth at least an initial investigation to document current behavior and expectations, and estimate how much effort it would be to update the app's behavior. (In my comment above I also mentioned that the auth token can be revoked on a password reset, but at this point not positive about the expectations there, either.) |
If a wpcom/Jetpack user visits https://wordpress.com/me/security/connected-applications they can opt to disconnect the mobile apps. This invalidates their bearer token and any subsequent request to the wpcom REST API requiring authentication will fail.
Investigate how to detect this scenario and, when detected, log the user out of wpcom (showing the welcome screen if necessary).
The text was updated successfully, but these errors were encountered: