Skip to content

feat: expose revokeRefreshToken#1147

Merged
yogeshchoudhary147 merged 3 commits into
mainfrom
feat/revoke-refresh-token
Jul 10, 2026
Merged

feat: expose revokeRefreshToken#1147
yogeshchoudhary147 merged 3 commits into
mainfrom
feat/revoke-refresh-token

Conversation

@yogeshchoudhary147

@yogeshchoudhary147 yogeshchoudhary147 commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Summary

Closes #1134

  • Expose revokeRefreshToken on Auth0ContextInterface and wire it through Auth0Provider
  • Re-export RevokeRefreshTokenOptions from @auth0/auth0-spa-js via src/index.tsx
  • Add tests (call, error propagation, memoization)
  • Document usage in EXAMPLES.md

Test plan

  • npm test passes with 100% coverage

Manual testing

  • Basic revoke: log in with useRefreshTokens={true} → call revokeRefreshToken() → confirm the next getAccessTokenSilently() fails with login_required (refresh token is no longer valid)
  • With audience: log in with multiple audiences → call revokeRefreshToken({ audience: 'https://api.example.com' }) → confirm only that audience's token is invalidated
  • No-op without refresh tokens: configure with useRefreshTokens={false} → call revokeRefreshToken() → confirm no error is thrown and auth state is unchanged

Summary by CodeRabbit

  • New Features
    • Added revokeRefreshToken to the authentication context, with optional audience targeting.
    • Exposed RevokeRefreshTokenOptions for use with revocation calls.
  • Documentation
    • Added a “Revoke Refresh Token” guide with React examples, including behavior when refresh tokens are disabled, multi-audience impact, and expected follow-up authentication behavior (plus optional logout snippet).
  • Tests
    • Added tests covering method availability, audience option forwarding, error propagation, and memoization stability across rerenders.

@yogeshchoudhary147 yogeshchoudhary147 requested a review from a team as a code owner July 8, 2026 13:22
@coderabbitai

coderabbitai Bot commented Jul 8, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 2953fa0c-e39a-4a22-b354-0b8bc6d0d330

📥 Commits

Reviewing files that changed from the base of the PR and between 073f314 and 986d3bb.

📒 Files selected for processing (1)
  • EXAMPLES.md
✅ Files skipped from review due to trivial changes (1)
  • EXAMPLES.md

📝 Walkthrough

Walkthrough

Adds revokeRefreshToken to the Auth0 React SDK context, delegates calls through Auth0Provider to the underlying client, exports its options type, and adds mocks, tests, and usage documentation.

Changes

Revoke Refresh Token feature

Layer / File(s) Summary
Context contract and public type export
src/auth0-context.tsx, src/index.tsx
Adds revokeRefreshToken(options?: RevokeRefreshTokenOptions): Promise<void> to the context, updates the initial stub, and re-exports RevokeRefreshTokenOptions.
Provider delegation and context wiring
src/auth0-provider.tsx
Implements the callback through client.revokeRefreshToken, exposes it on contextValue, and updates memoization dependencies.
Mock coverage and usage documentation
__mocks__/@auth0/auth0-spa-js.tsx, __tests__/auth-provider.test.tsx, EXAMPLES.md
Adds client mock support, tests exposure, forwarding, errors, and memoization, and documents revocation behavior and usage.

Estimated code review effort: 2 (Simple) | ~10 minutes

Sequence Diagram(s)

sequenceDiagram
  participant App
  participant Auth0Provider
  participant Auth0Client

  App->>Auth0Provider: revokeRefreshToken(options)
  Auth0Provider->>Auth0Client: client.revokeRefreshToken(options)
  Auth0Client-->>Auth0Provider: Promise<void>
  Auth0Provider-->>App: resolved or rejected
Loading
🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title is concise and accurately reflects the main change: exposing revokeRefreshToken.
Linked Issues check ✅ Passed The PR exposes revokeRefreshToken through useAuth0 as requested and adds matching types, mock support, tests, and docs.
Out of Scope Changes check ✅ Passed The added tests, mock updates, type export, and documentation all support the requested API exposure and are in scope.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feat/revoke-refresh-token

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
__tests__/auth-provider.test.tsx (1)

606-651: 🎯 Functional Correctness | 🔵 Trivial | 💤 Low value

Simplify the memoization test. Move rerender() outside waitFor() so the assertion runs once and is easier to read.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@__tests__/auth-provider.test.tsx` around lines 606 - 651, The memoization
test for revokeRefreshToken is doing the rerender inside waitFor, which makes
the assertion harder to follow. Update the test in the Auth0Context suite so
rerender() is called outside waitFor, then assert that
result.current.revokeRefreshToken stays referentially equal to the saved
memoized function in a single, straightforward expectation.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@__tests__/auth-provider.test.tsx`:
- Around line 606-651: The memoization test for revokeRefreshToken is doing the
rerender inside waitFor, which makes the assertion harder to follow. Update the
test in the Auth0Context suite so rerender() is called outside waitFor, then
assert that result.current.revokeRefreshToken stays referentially equal to the
saved memoized function in a single, straightforward expectation.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 7c70426b-6b57-4e41-ac09-42918f17540b

📥 Commits

Reviewing files that changed from the base of the PR and between 305b622 and 5e2c502.

📒 Files selected for processing (6)
  • EXAMPLES.md
  • __mocks__/@auth0/auth0-spa-js.tsx
  • __tests__/auth-provider.test.tsx
  • src/auth0-context.tsx
  • src/auth0-provider.tsx
  • src/index.tsx

@yogeshchoudhary147 yogeshchoudhary147 force-pushed the feat/revoke-refresh-token branch from ac2d26f to 073f314 Compare July 10, 2026 07:51

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@EXAMPLES.md`:
- Around line 825-828: Remove the standalone blank blockquote line before the
fenced code block in the refresh-token revocation example, keeping the fence
directly within the blockquote to satisfy markdownlint MD028.
- Around line 825-830: Make the revoke-and-logout example self-contained by
declaring logout alongside revokeRefreshToken, destructuring both from
useAuth0(), or explicitly showing that logout must be obtained from the hook
before it is called.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: c8d93b6c-584e-470c-83a4-a80c4b626f5d

📥 Commits

Reviewing files that changed from the base of the PR and between ac2d26f and 073f314.

📒 Files selected for processing (6)
  • EXAMPLES.md
  • __mocks__/@auth0/auth0-spa-js.tsx
  • __tests__/auth-provider.test.tsx
  • src/auth0-context.tsx
  • src/auth0-provider.tsx
  • src/index.tsx
🚧 Files skipped from review as they are similar to previous changes (5)
  • src/index.tsx
  • mocks/@auth0/auth0-spa-js.tsx
  • tests/auth-provider.test.tsx
  • src/auth0-provider.tsx
  • src/auth0-context.tsx

Comment thread EXAMPLES.md
Comment thread EXAMPLES.md
Piyush-85
Piyush-85 previously approved these changes Jul 10, 2026

@Piyush-85 Piyush-85 left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@yogeshchoudhary147 yogeshchoudhary147 merged commit 794a050 into main Jul 10, 2026
15 checks passed
@yogeshchoudhary147 yogeshchoudhary147 deleted the feat/revoke-refresh-token branch July 10, 2026 08:04
yogeshchoudhary147 added a commit that referenced this pull request Jul 10, 2026
**Added**
- feat: expose revokeRefreshToken
[\#1147](#1147)
([yogeshchoudhary147](https://github.com/yogeshchoudhary147))


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **New Features**
* Added support for exposing `revokeRefreshToken`, enabling applications
to revoke refresh tokens.
* Added documentation for configuring the token audience when revoking a
refresh token.

* **Documentation**
* Refreshed API reference pages, navigation, hierarchy, and search
content.
  * Updated source links and generated documentation metadata.

* **Chores**
  * Bumped the package version to 2.21.0.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Surface revokeRefreshToken() in the React SDK

2 participants