Signing the user out
Whenever a device is detached, the owner/user of that device should be logged out immediately. Let's take a closer look at some scenarios and how to handle them.
If the devices are offline, but and they get detached, you can simply leave it there. The next time the offline device comes online and gets attached, the logic will re-run and Rupt will re-evaluate the attached devices.
Device is online and is detached (by another device or for inactivity)
Rupt automatically handles notifying the devices if they are online. We use realtime APIs to send a notification to the SDK which will redirect the detached device to redirect_urls.logout_url. You must add this callback with the proper logout url to see the results.
Important
You must add the redirect_urls.logout_url parameter to the attach function for realtime detach handling to work properly
Device is offline and is detached (by another device or for inactivity)
Because the device is offline, there is no realtime communication between Rupt's servers and the device. So we cannot notify it immediately. Instead, Rupt's servers send a webhook event of type device.detached which include the device information and any metadata that was added to the device on the attach request.
If you implement the webhooks, when you receive the event, you should expire the user session, delete their login cookies or expire their bearer token. Because the user will have multiple sessions, you can send an identifier in the metadata and use that to select which session to logout.
Take a look at the Handle webhook events guide.