-
Notifications
You must be signed in to change notification settings - Fork 90
/
Copy pathwork-with-multiple-users.txt
109 lines (77 loc) · 3.96 KB
/
work-with-multiple-users.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
.. _web-multi-user:
==================================
Work with Multiple Users - Web SDK
==================================
.. contents:: On this page
:local:
:backlinks: none
:depth: 2
:class: singlecol
Overview
--------
The Realm SDK allows multiple :ref:`users <user-accounts>` to be logged in to an
app simultaneously on a given browser. Realm client applications run
in the context of a single active user even if multiple users are logged in
simultaneously. You can quickly switch between authenticated users without
requiring them to log in again.
.. important::
**Any logged in user may become the active user without re-authenticating.**
Depending on your app, this may be a security vulnerability. For example, a
user on a shared browser may switch to a coworker's logged in account without
providing their credentials or requiring their explicit permission. If your
application requires stricter authentication, avoid switching between users
and prefer to explicitly log the active user out before authenticating
another user.
User Account States
~~~~~~~~~~~~~~~~~~~
When a user first logs in through a Realm SDK on a given browser,
the SDK saves the user's information and keeps track of the user's state. The
user's data remains in local storage, even if they log out, unless you actively
:ref:`remove the user <web-remove-user>` or purge data from the browser.
The following states describe a tracked user at any given time:
- **Authenticated:** any user that has logged in on the browser
and has not logged out or had its session revoked.
- **Active**: a single authenticated user that is currently using the
app on a given browser. The SDK associates this user with outgoing
requests and Atlas App Services evaluates data access permissions and runs
functions in this user's context. See :ref:`active user <active-user>` for
more information.
- **Inactive**: all authenticated users that are not the current
active user. You can :ref:`switch the active user <web-switch-user>` to a
currently inactive user at any time.
- **Logged Out:** any user that authenticated on the browser but
has since logged out or had its session revoked.
The following diagram shows how users within a Realm client app
transition between states when certain events occur:
.. figure:: /images/multi-user.png
:alt: A diagram the outlines the different states a user can be in: logged out, logged in and active, & logged in and inactive.
.. _web-add-user:
Add a New User to a Device
--------------------------
The Realm SDK automatically saves user data to a browser's local
storage when they log in for the first time on that browser. When a user logs
in, they immediately become the application's :ref:`active user <active-user>`.
.. literalinclude:: /examples/generated/web/authentication-work-with-multiple-users.test.snippet.add-new-user.js
:language: javascript
.. _web-list-users:
List All On-Device Users
~~~~~~~~~~~~~~~~~~~~~~~~
You can access a list of all :ref:`user accounts <user-accounts>` associated
with the browser. This list includes all users that have logged in to the client
app regardless of whether they are currently authenticated.
.. literalinclude:: /examples/generated/web/authentication-work-with-multiple-users.test.snippet.list-all-on-device-users.js
:language: javascript
.. _web-switch-user:
Switch the Active User
~~~~~~~~~~~~~~~~~~~~~~
You can quickly switch an app's :ref:`active user <active-user>` to another
logged in user at any time.
.. literalinclude:: /examples/generated/web/authentication-work-with-multiple-users.test.snippet.switch-active-user.js
:language: javascript
.. _web-remove-user:
Remove a User from the Device
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
You can remove all information about a user from the browser and automatically
log the user out.
.. literalinclude:: /examples/generated/web/authentication-work-with-multiple-users.test.snippet.remove-user-from-device.js
:language: javascript