User logout on any device forces logout on all devices #8
Description
When the logout action is called in the access controller, the authentication_token is deleted from the database, preventing an attack vector where long-lasting authentication_tokens might be used maliciously if discovered.
However, if the user is logged in on other devices, the authentication_token's stored on those devices are then invalid since any record of them has been deleted. This forces logout on all devices and is a hassle for our users who may be on multiple devices. It is handled by the app currently by forcing a logout and login.
Possible solution could be to associate a separate authentication_token with each UniqueDeviceIdentifier object, and then handle logout on a device-specific level.
On the other hand, this behavior could be considered desirable if a user were to lose a device, etc. and want to logout on al devices. Thus it could be a choice presented to them.