Skip to main content
Skip table of contents

refreshFamilies

SuperWEB2 and SuperADMIN use narrowly-scoped access tokens intended for specific subsets of tasks (such as tabulation, viewing the catalogue, etc.) and refresh tokens that are used to generate access tokens.

When a client authenticates with the server, it initially provides them with a catalogue access token and a refresh token. These are linked to an internal “refresh family”, which acts as a session. Whenever another access token is required, the refresh token needs to be provided as authorisation and, if successful, the requested token and a replacement refresh token are provided in the response. Only the most recent refresh token will be accepted. If a previous refresh token is given to SuperADMIN, it will assume an attacker is trying to use an old token, or that they have already, and the user is now using an old token. Either way, the session has been compromised, so the refresh family is revoked, and no tokens generated from it will work.

Tabulation tokens are generated for every tabulation, and by default expire after 15 minutes. These tokens are checked by SuperSERVER almost immediately after creation, so the lifespan can be quite low, as it only needs to account for any load spikes that may delay processing of the request.

Since refresh tokens have their own token expiry, they may need to be refreshed before another access token is required. This is done by checking the refresh token expiry on every user action and, if it gets too close, a request for an access token will be sent specifically to refresh the refresh token. If the refresh token expiry has already been reached because the user did not perform an action for an extended period of time, their session will effectively be ended because an expired refresh token is no longer valid, and it is the only way to generate a new one without logging in again. This can be thought of as a session timeout.

Refresh families also have an overall expiry when refreshing the refresh token will no longer be allowed. This can be thought of as the max session time.

You can use the refreshFamilies command to manually revoke JWT refresh families, for example if you believe that a specific token or refresh family has been compromised.

refreshFamilies revoke <family_id>

Revokes the specified family ID.

refreshFamilies revokeUser <user_id>

Revokes all current refresh families for the specified user. This will effectively log the user out everywhere and prevent any queued tables from being tabulated.

If you believe that the user’s account has been compromised then you should also reset the user’s password.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close