How to Prevent Simultaneous User Logins

In this guide, we'll walk you through the steps to create a password-sharing prevention mechanism in your Xano application using the platform's native authentication and authorization flows. This feature is particularly useful if you want to revoke a user's access when a new login is detected on their account.

Step 1: Create a Session Key Column in the User Table

First, we need to create a new column in the User table to store the session key. Follow these steps:

1. Go to your User database table.
2. Create a new column with the name "SessionKey" and set the data type to "Text."

Step 2: Modify the Login API Endpoint

Next, we'll modify the default Login API endpoint to generate and store a unique session key for each user login.

1. Navigate to the API Builder and locate the default API group.
2. Open the Login API endpoint.
3. Between steps 4 and 5, add a new step using the `UUID` function under Security Functions. Name this step "session_key."
4. In the "Extras" section, click "Set" and set the path to "session_key" and the value to the "session_key" variable created in the previous step.
5. Add a new step to update the User record with the generated session key. Use the "Edit Records" function and select the User table. Set the ID to the "user.id" variable returned from the initial database query, and assign the "session_key" variable to the "SessionKey" column.

Step 3: Create a Validate Session Key Function

We'll create a reusable function to validate the session key for each API request.

1. Go to the Library Functions section and create a new function called "validate_session_key."
2. Add a step to fetch the User record using the "Get Record" function and the ID from the authentication token.
3. Create a precondition to check if the session key from the request matches the one stored in the database. If they match, grant access; otherwise, deny access with an error message (e.g., "This account has had a new login.").

Step 4: Apply the Validate Session Key Function to API Endpoints

Finally, we'll apply the `validate_session_key` function to all API endpoints that require user authentication.

1. Create a new API endpoint (e.g., "API_123").
2. Add the `validate_session_key` function as the first step.
3. Ensure that the API endpoint has the "User Authentication Required" option enabled.

Testing the Implementation

To test the password-sharing prevention mechanism, follow these steps:

1. Run the modified Login API endpoint to obtain a valid authentication token.
2. Use the token to access the API_123 endpoint successfully.
3. Obtain a new authentication token by logging in again.
4. Try accessing API_123 with the new token, which should work as expected.
5. Attempt to access API_123 with the old token, and you should receive the "This account has had a new login" error.

By implementing this feature, you can effectively prevent password sharing in your Xano application and ensure that only one active session is allowed per user at any given time.

If you have any questions or need further assistance, feel free to leave a comment below or reach out to the Xano support team via chat. Don't forget to subscribe to the Xano YouTube channel and visit community.xano.com to explore more resources and guides.