Force user to reauthenticate periodically


I would like to use a custom authentication scheme that probably involves the admin REST api. I don’t want clients to keep their websocket session forever without reauthentication.

What is the preferred way to force the client (couchbase lite) to reauthenticate from the server side. I cannot trust the client to log out automatically.

One idea I had was to have an authenticated heartbeat to a custom REST endpoint that if not received within the time limit will cancel all existing sessions for the given user. Will that terminate any ongoing connection/sync session?

Or is there a simpler way to archive what I want with build-in functionality. My authentication is token/certificate based so I don’t need user interaction to authenticate in general.


Instead of having clients do it, your App Server (the one that’s doing the authentication and creating the session on the Sync Gateway) should delete the session on sync gateway

Sync gateway does the client authentication only during connection setup. So, even if session expires on sync gateway, that wouldn’t help if you have continuous replication. So you would need to do one-shot replication. If you use one-shot , the Sync Gateway will re-authenticate and reject connections coming in with an expired token every time a one shot replication is started.

If you must use continuous replication, then having an out of band way of notifying the client of expired token so it can tear down existing replication and reestablish replication is probably your best option. You can do that for one-shot as well (but expectation is that one shot is short lived so you could get away without that)

Thanks for the quick reply, Priya. Unfortunately I need continuous synchronisation and I also don’t trust the client so I cannot assume it complies with the request to tear down the connection. What other options leaves this?

We’ve got a feature in the backlog to terminate 2.x websocket replications via session delete, which I think closes up this gap here: