Flaschengeist/flaschengeist
Flaschengeist
/
flaschengeist
7
0
Fork 0
Code Issues 20 Pull Requests Packages Projects Releases 2 Wiki Activity

[core] log out is not working #7

New Issue
Closed
opened 2021-05-20 17:06:42 +00:00 by groegert · 5 comments
groegert commented 2021-05-20 17:06:42 +00:00
Member
Copy Link

session is not deleted on log out.

  • an additional session is beeing displayed when relogin and looking at settings
  • in backend there are 2 sessions after relogin (select * from session)

To reproduce

  1. browser firefox
  2. logged in as admin (default)
  3. using the upper right button to log out
  4. log in again
  5. goto 'Admin->Einstellungen'
    --> 2 sessions are shown
  6. select * from user in backend database
    --> 2 sessions are shown
session is not deleted on log out. * an additional session is beeing displayed when relogin and looking at settings * in backend there are 2 sessions after relogin (select * from session) To reproduce 1. browser firefox 2. logged in as admin (default) 3. using the upper right button to log out 4. log in again 5. goto 'Admin->Einstellungen' --> 2 sessions are shown 6. select * from user in backend database --> 2 sessions are shown
ferfissimo added the
🎒 backend
 label 2021-05-20 20:56:53 +00:00
ferfissimo added this to the v2.0-beta milestone 2021-05-20 20:57:42 +00:00
groegert added the
📺 frontend
 label 2021-05-21 07:40:32 +00:00
groegert commented 2021-05-21 08:25:44 +00:00
Author
Member
Copy Link

I think this should be fixed in frontend.
The call stores/index.ts->logout() 'api.delete('/auth/${token}')' should be done within a valid session. Otherwise everybody could delete sessions without beeing logged in.
So the sequence should be changed from:

this.$patch({
  session: undefined,
  user: undefined,
});
await api.delete(`/auth/${token}`);

to

await api.delete(`/auth/${token}`);
this.$patch({
  session: undefined,
  user: undefined,
});
I think this should be fixed in frontend. The call stores/index.ts->logout() 'api.delete('/auth/${token}')' should be done within a valid session. Otherwise everybody could delete sessions without beeing logged in. So the sequence should be changed from: ``` this.$patch({ session: undefined, user: undefined, }); await api.delete(`/auth/${token}`); ``` to ``` await api.delete(`/auth/${token}`); this.$patch({ session: undefined, user: undefined, }); ```
groegert commented 2021-05-21 08:29:34 +00:00
Author
Member
Copy Link

fixed with commit: f2b7f3a3b4

fixed with commit: f2b7f3a3b4
groegert added the
🐞 bug
 label 2021-05-21 08:30:39 +00:00
ferfissimo commented 2021-05-21 11:17:49 +00:00
Owner
Copy Link

I do not see how the changes should fix the problem.

The call stores/index.ts->logout() 'api.delete('/auth/${token}')' should be done within a valid session. Otherwise everybody could delete sessions without beeing logged in.

This is true, but should be checked on the backend not the frontend (check if valid session token is set and session belongs to user).

So the sequence should be changed from:

this.$patch({
  session: undefined,
  user: undefined,
});
await api.delete(`/auth/${token}`);

to

await api.delete(`/auth/${token}`);
this.$patch({
  session: undefined,
  user: undefined,
});

This was intentional, because if the session is expired the backend will emit a HTTP-401 on every API request, the frontend will handle this by logging out and go back to login page.
Now the logout will try to send a DELETE but gets a HTTP-401 which is intercepted and result in an other logout attempt, which leads to infinit logout requests.

So the idea was to first patch the session, as the token is "valid" when the function gets called" and then do the logout, because then every next logout attempt will get canceled (guard in line 77 )

But I think this might be not the ideal way of handling this, when we receive a 401 the token is outdated, so we rather should simply clear the stores and LocalStorage.

I do not see how the changes should fix the problem. > The call stores/index.ts->logout() 'api.delete('/auth/${token}')' should be done within a valid session. Otherwise everybody could delete sessions without beeing logged in. This is true, but should be checked on the backend not the frontend (check if valid session token is set and session belongs to user). > So the sequence should be changed from: > ``` > this.$patch({ > session: undefined, > user: undefined, > }); > await api.delete(`/auth/${token}`); > ``` > to > ``` > await api.delete(`/auth/${token}`); > this.$patch({ > session: undefined, > user: undefined, > }); > ``` This was intentional, because if the session is expired the backend will emit a `HTTP-401` on every API request, the frontend will handle this by logging out and go back to login page. Now the logout will try to send a `DELETE` but gets a `HTTP-401` which is intercepted and result in an other logout attempt, which leads to infinit logout requests. So the idea was to first patch the session, as the token is "valid" when the function gets called" and then do the logout, because then every next logout attempt will get canceled (guard in [line 77](https://flaschengeist.dev/Flaschengeist/flaschengeist-frontend/src/branch/develop/src/stores/index.ts#L77) ) But I think this might be not the ideal way of handling this, when we receive a 401 the token is outdated, so we rather should simply clear the stores and LocalStorage.
groegert commented 2021-05-24 09:33:34 +00:00
Author
Member
Copy Link

I see: store.logout does not only logout a valid session but does also handles an unauthorized session (HTTP-401), i.e. an expired session.
So solution would be to separate the 2 cases:

  • store.logout -- which logs out in backend
  • store.handleLoggedOut -- which cleans up to store to be in sync with backend

With this it is possible to have multiple (async) logouts. But these would just result in correctly cleaning up the store.

I see: `store.logout` does not only logout a valid session but does also handles an unauthorized session (`HTTP-401`), i.e. an expired session. So solution would be to separate the 2 cases: * `store.logout` -- which logs out in backend * `store.handleLoggedOut` -- which cleans up to store to be in sync with backend With this it is possible to have multiple (async) logouts. But these would just result in correctly cleaning up the store.
groegert reopened this issue 2021-05-24 09:33:35 +00:00
groegert commented 2021-05-24 17:37:00 +00:00
Author
Member
Copy Link

fixed with comit: 9940589d1a and 625ac55b0a

fixed with comit: [9940589d1a](https://flaschengeist.dev/Flaschengeist/flaschengeist-frontend/commit/9940589d1ac42f40f1761bd9b53f89ec4257f9ec) and [625ac55b0a](https://flaschengeist.dev/Flaschengeist/flaschengeist-frontend/commit/625ac55b0a2e88b18e008e2ced4974363c4eca4d)
Sign in to join this conversation.
develop
Branches Tags
Clear current reference
main
pricelist_remove
develop
master
feature/balance
feature/migrations
proposal/metadata2
proposal/plugin-metadata
feature/events
feature/pricelist
feature/orders
v1
Clear current reference
v2.2.0
v2.1.0
v2.0.0
v2.0.0.dev1
v2.0.0.dev0
Labels
Clear labels   
🛃 types

Issue with @flaschengeist/types

  
👪 users

Issue with @flaschengeist/users

  
invalid

Something is wrong

  
wontfix

This won't be fixed

  
🚀 announcement

news from the project

  
🎒 backend

issue related to backend

  
🐞 bug

Something is not working

  
🐋 docker

issue with the docker files

  
💡 enhancement

New feature

  
📺 frontend

issue related to frontend

  
🤔 question

More information is needed

  
🔗duplicate

This issue or pull request already exists

No Label
🛃 types
👪 users
invalid
wontfix
🚀 announcement
🎒 backend
🐞 bug
🐋 docker
💡 enhancement
📺 frontend
🤔 question
🔗duplicate
Milestone
Clear milestone
No items
No Milestone
v2.0-beta
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
2 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: Flaschengeist/flaschengeist#7
No description provided.
Delete Branch "%!s(<nil>)"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?