Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Logout does not clear the tokens #210

Closed
iamsayantan opened this issue Jun 28, 2018 · 36 comments
Closed

Logout does not clear the tokens #210

iamsayantan opened this issue Jun 28, 2018 · 36 comments
Labels

Comments

@iamsayantan
Copy link

Version

v4.5.1

Reproduction link

https://jsfiddle.net/

Steps to reproduce

logout then login

What is expected ?

Logout should clear the old access tokens. As per this issue ( #57 ) here, its fixed in version 4.0 .

What is actually happening?

Hello, I am facing this issue while trying to log in after a logout. After login api is called and the access token it is set in both localstorage and cookie. But the fetchUser() method is using the previous access token. I am using version 4.5.1. I even manually set the axios headers to null.

        async logout() {
                await this.$auth.logout({
                    data: {
                        device_id: this.device_id
                    }
                });

                this.$axios.setHeader('Authorization', null);
                this.$toast.show('Successfully logged out');
            }

Request response flow:
Login
Request:

Request URL: http://localhost:3000/api/users/login
Request Method: POST
Status Code: 200 OK
Remote Address: 127.0.0.1:3000
Referrer Policy: no-referrer-when-downgrade

Response

{
    "data": { 
         "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImp0aSI6Ijk3M2QyZWEzZWUyMzI0OWM4NThkMWQ2OTYyMThjZTlkN2IwZTk0NDAwOTljZDZiMzg4ZWMwYTZlOTNhYjllYjJiMzFhZTk1MGJiOGE4MGFhIn0.eyJhdWQiOiIxIiwianRpIjoiOTczZDJlYTNlZTIzMjQ5Yzg1OGQxZDY5NjIxOGNlOWQ3YjBlOTQ0MDA5OWNkNmIzODhlYzBhNmU5M2FiOWViMmIzMWFlOTUwYmI4YTgwYWEiLCJpYXQiOjE1MzAxNjk2OTksIm5iZiI6MTUzMDE2OTY5OSwiZXhwIjoxODQ1Nzg4ODk5LCJzdWIiOiIxMyIsInNjb3BlcyI6W119.B9T9h5X6dSZs3MFIl4xEOsIp66T-B4H9UFTYx7EDnp8b_2yeNdSNmrfKTo6cercpW0AAAlw_xFUOswpqZuOrRpDhGxSiL0Uz3LPelXC2VeTUvfDT75CCODyOWQP-nUPh49Nqp_GCizBmL219IiQLwXtYlEuEJbpXuHiN2LFS7N_xeELLLSPVGfc4PIgJ4rCCVnmOKYPXQHP_Vn7OsqpVyYWPi2yzjnmlIVbYdt8W7KycC6VZfJBJcgRVU-yi4G17PI9sFCuYgCU8Uh-bneGDgaWm9VLTOAIc_dMaDt0PnOt90oh6EeBLEdsa8MYh3v7iDeKIzM6pLBuGUGrvPM9lu-OmD1Q0mQsUgsd-oPYPANLpgZErlcZzD-sfqvc8ryt-s2SGlc882WcLgrpDxSVaxXXkcLWp7PhuLfrzoTRUJig8Gw-rrxV6cUMc551ItTWdFmZNUWJLa_UlgSfQEn4aH9rLTlvkFPocdSqBeCw4Br0QnjBS7fznw6Mw17dKCSMmxVVfhFTll3-60jWAnN7KA0hDGIjppUQZs5ADlSkcmPc_OzoOAk8v115zKrD93fKYRL0rKFHpildu_SrVRhwjkViSqbgBjh6YDSKd69H6HwJzBrhDiuCLdkDgRuRnn9p-1zCKlR0QQTWSUVm8Bq3bd7ZOPTMGfprdJqaP6pfGQgQ" 
    }
}

Logout
Request

Accept: application/json, text/plain, */*
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9,bn;q=0.8
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImp0aSI6Ijk3M2QyZWEzZWUyMzI0OWM4NThkMWQ2OTYyMThjZTlkN2IwZTk0NDAwOTljZDZiMzg4ZWMwYTZlOTNhYjllYjJiMzFhZTk1MGJiOGE4MGFhIn0.eyJhdWQiOiIxIiwianRpIjoiOTczZDJlYTNlZTIzMjQ5Yzg1OGQxZDY5NjIxOGNlOWQ3YjBlOTQ0MDA5OWNkNmIzODhlYzBhNmU5M2FiOWViMmIzMWFlOTUwYmI4YTgwYWEiLCJpYXQiOjE1MzAxNjk2OTksIm5iZiI6MTUzMDE2OTY5OSwiZXhwIjoxODQ1Nzg4ODk5LCJzdWIiOiIxMyIsInNjb3BlcyI6W119.B9T9h5X6dSZs3MFIl4xEOsIp66T-B4H9UFTYx7EDnp8b_2yeNdSNmrfKTo6cercpW0AAAlw_xFUOswpqZuOrRpDhGxSiL0Uz3LPelXC2VeTUvfDT75CCODyOWQP-nUPh49Nqp_GCizBmL219IiQLwXtYlEuEJbpXuHiN2LFS7N_xeELLLSPVGfc4PIgJ4rCCVnmOKYPXQHP_Vn7OsqpVyYWPi2yzjnmlIVbYdt8W7KycC6VZfJBJcgRVU-yi4G17PI9sFCuYgCU8Uh-bneGDgaWm9VLTOAIc_dMaDt0PnOt90oh6EeBLEdsa8MYh3v7iDeKIzM6pLBuGUGrvPM9lu-OmD1Q0mQsUgsd-oPYPANLpgZErlcZzD-sfqvc8ryt-s2SGlc882WcLgrpDxSVaxXXkcLWp7PhuLfrzoTRUJig8Gw-rrxV6cUMc551ItTWdFmZNUWJLa_UlgSfQEn4aH9rLTlvkFPocdSqBeCw4Br0QnjBS7fznw6Mw17dKCSMmxVVfhFTll3-60jWAnN7KA0hDGIjppUQZs5ADlSkcmPc_OzoOAk8v115zKrD93fKYRL0rKFHpildu_SrVRhwjkViSqbgBjh6YDSKd69H6HwJzBrhDiuCLdkDgRuRnn9p-1zCKlR0QQTWSUVm8Bq3bd7ZOPTMGfprdJqaP6pfGQgQ
build: 0.1
client-type: WEB
Connection: keep-alive
Content-Length: 52
Content-Type: application/json;charset=UTF-8
Cookie: auth.strategy=local; auth._refresh_token.local=false; auth._token.local=Bearer%20eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImp0aSI6Ijk3M2QyZWEzZWUyMzI0OWM4NThkMWQ2OTYyMThjZTlkN2IwZTk0NDAwOTljZDZiMzg4ZWMwYTZlOTNhYjllYjJiMzFhZTk1MGJiOGE4MGFhIn0.eyJhdWQiOiIxIiwianRpIjoiOTczZDJlYTNlZTIzMjQ5Yzg1OGQxZDY5NjIxOGNlOWQ3YjBlOTQ0MDA5OWNkNmIzODhlYzBhNmU5M2FiOWViMmIzMWFlOTUwYmI4YTgwYWEiLCJpYXQiOjE1MzAxNjk2OTksIm5iZiI6MTUzMDE2OTY5OSwiZXhwIjoxODQ1Nzg4ODk5LCJzdWIiOiIxMyIsInNjb3BlcyI6W119.B9T9h5X6dSZs3MFIl4xEOsIp66T-B4H9UFTYx7EDnp8b_2yeNdSNmrfKTo6cercpW0AAAlw_xFUOswpqZuOrRpDhGxSiL0Uz3LPelXC2VeTUvfDT75CCODyOWQP-nUPh49Nqp_GCizBmL219IiQLwXtYlEuEJbpXuHiN2LFS7N_xeELLLSPVGfc4PIgJ4rCCVnmOKYPXQHP_Vn7OsqpVyYWPi2yzjnmlIVbYdt8W7KycC6VZfJBJcgRVU-yi4G17PI9sFCuYgCU8Uh-bneGDgaWm9VLTOAIc_dMaDt0PnOt90oh6EeBLEdsa8MYh3v7iDeKIzM6pLBuGUGrvPM9lu-OmD1Q0mQsUgsd-oPYPANLpgZErlcZzD-sfqvc8ryt-s2SGlc882WcLgrpDxSVaxXXkcLWp7PhuLfrzoTRUJig8Gw-rrxV6cUMc551ItTWdFmZNUWJLa_UlgSfQEn4aH9rLTlvkFPocdSqBeCw4Br0QnjBS7fznw6Mw17dKCSMmxVVfhFTll3-60jWAnN7KA0hDGIjppUQZs5ADlSkcmPc_OzoOAk8v115zKrD93fKYRL0rKFHpildu_SrVRhwjkViSqbgBjh6YDSKd69H6HwJzBrhDiuCLdkDgRuRnn9p-1zCKlR0QQTWSUVm8Bq3bd7ZOPTMGfprdJqaP6pfGQgQ
DNT: 1
Host: localhost:3000
Origin: http://localhost:3000
Referer: http://localhost:3000/
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36
version: 0.0.1

Now when I login again, the access token is changed.
Login 2
Response

{
    "data": { 
         "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImp0aSI6ImQ2N2RjYWZkYWJhZWEwYTUzZDBiODQwYjRjMWYxNWVmMTVjNWE5NTg2N2Q2MjkxM2FlMWJjOGI1YjIyNmY0Zjk3MGJhODM5NzE1N2NlNmFiIn0.eyJhdWQiOiIxIiwianRpIjoiZDY3ZGNhZmRhYmFlYTBhNTNkMGI4NDBiNGMxZjE1ZWYxNWM1YTk1ODY3ZDYyOTEzYWUxYmM4YjViMjI2ZjRmOTcwYmE4Mzk3MTU3Y2U2YWIiLCJpYXQiOjE1MzAxNzA4NjgsIm5iZiI6MTUzMDE3MDg2OCwiZXhwIjoxODQ1NzkwMDY4LCJzdWIiOiIxMyIsInNjb3BlcyI6W119.YxfdrtdHpDMZTuh5qLkIS6zKqJhqhJAnIqT9UZMMyc8caqA8pZMk0C648c2K55DLnomZnvFqTRtQfatGKpAPM1ku0-Nzpmxfn-2lsOB_cXehsw-OB15W0y3Bor2kFImokBWhW3qsHgkouOx8D3KSNHtIrtrdz3W8O9WwXiWEcPn3rtgZ-5qg6VBPcC9SHay1Bbaeqz3tjWGptMKPQFEpB7bKNbNlQjwtj4B-WbmRAz-s6X24RqOJsUS1frAe6eDn85RUY5lsQuZfsK8TL3mEC75Wcpc863nrf2AVTrtH6uBaKxlV6BQIDVBSTWquTH2DRRexzeEADYJwleaWr4H2eJN-C3kOcDF7pSInIsC3Q81-AAWjrWq6dfy2UKzif9bS265gnC3itNHeT2wySZYC7KulRzuDW1mhwM8jgX-ilk9Qg8xqr-Vh7eCF0igWwP2UHGNxrGd-f8j5Uc6eIw8guzZqqSveUmF83LOHe4Cy9RBybF7RdJHo8KZ6i4D8sR4kGP-1VhXirIQ3-DBZS-I5Eq3J8ZH_8z6ioLmlBxTx6ePwoQqrtyyaSiWbdvQl5RSVFH3ngOBcQB4KmHoPIYy2PqPoe1-XMhfsh94YgPrEAWSqAlHn6xRPLxyWdoV5OoVYG7BVGaWbfZnlg9PUFQxPJYqfm0_WHvqBO-Lwxyb8QsE" 
    }
}

And this token is set both on cookie and localstorage. But the $auth.fetchUser() api uses the old access token so login is not being completed. Refreshing the page fixes this as the access token stored in the cookie is a valid one.

Fetch User
Request

Accept: application/json, text/plain, */*
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9,bn;q=0.8
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImp0aSI6Ijk3M2QyZWEzZWUyMzI0OWM4NThkMWQ2OTYyMThjZTlkN2IwZTk0NDAwOTljZDZiMzg4ZWMwYTZlOTNhYjllYjJiMzFhZTk1MGJiOGE4MGFhIn0.eyJhdWQiOiIxIiwianRpIjoiOTczZDJlYTNlZTIzMjQ5Yzg1OGQxZDY5NjIxOGNlOWQ3YjBlOTQ0MDA5OWNkNmIzODhlYzBhNmU5M2FiOWViMmIzMWFlOTUwYmI4YTgwYWEiLCJpYXQiOjE1MzAxNjk2OTksIm5iZiI6MTUzMDE2OTY5OSwiZXhwIjoxODQ1Nzg4ODk5LCJzdWIiOiIxMyIsInNjb3BlcyI6W119.B9T9h5X6dSZs3MFIl4xEOsIp66T-B4H9UFTYx7EDnp8b_2yeNdSNmrfKTo6cercpW0AAAlw_xFUOswpqZuOrRpDhGxSiL0Uz3LPelXC2VeTUvfDT75CCODyOWQP-nUPh49Nqp_GCizBmL219IiQLwXtYlEuEJbpXuHiN2LFS7N_xeELLLSPVGfc4PIgJ4rCCVnmOKYPXQHP_Vn7OsqpVyYWPi2yzjnmlIVbYdt8W7KycC6VZfJBJcgRVU-yi4G17PI9sFCuYgCU8Uh-bneGDgaWm9VLTOAIc_dMaDt0PnOt90oh6EeBLEdsa8MYh3v7iDeKIzM6pLBuGUGrvPM9lu-OmD1Q0mQsUgsd-oPYPANLpgZErlcZzD-sfqvc8ryt-s2SGlc882WcLgrpDxSVaxXXkcLWp7PhuLfrzoTRUJig8Gw-rrxV6cUMc551ItTWdFmZNUWJLa_UlgSfQEn4aH9rLTlvkFPocdSqBeCw4Br0QnjBS7fznw6Mw17dKCSMmxVVfhFTll3-60jWAnN7KA0hDGIjppUQZs5ADlSkcmPc_OzoOAk8v115zKrD93fKYRL0rKFHpildu_SrVRhwjkViSqbgBjh6YDSKd69H6HwJzBrhDiuCLdkDgRuRnn9p-1zCKlR0QQTWSUVm8Bq3bd7ZOPTMGfprdJqaP6pfGQgQ
build: 1.1
client-type: I
Connection: keep-alive
Cookie: auth.strategy=local; auth._refresh_token.local=false; auth._token.local=Bearer%20eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImp0aSI6ImQ2N2RjYWZkYWJhZWEwYTUzZDBiODQwYjRjMWYxNWVmMTVjNWE5NTg2N2Q2MjkxM2FlMWJjOGI1YjIyNmY0Zjk3MGJhODM5NzE1N2NlNmFiIn0.eyJhdWQiOiIxIiwianRpIjoiZDY3ZGNhZmRhYmFlYTBhNTNkMGI4NDBiNGMxZjE1ZWYxNWM1YTk1ODY3ZDYyOTEzYWUxYmM4YjViMjI2ZjRmOTcwYmE4Mzk3MTU3Y2U2YWIiLCJpYXQiOjE1MzAxNzA4NjgsIm5iZiI6MTUzMDE3MDg2OCwiZXhwIjoxODQ1NzkwMDY4LCJzdWIiOiIxMyIsInNjb3BlcyI6W119.YxfdrtdHpDMZTuh5qLkIS6zKqJhqhJAnIqT9UZMMyc8caqA8pZMk0C648c2K55DLnomZnvFqTRtQfatGKpAPM1ku0-Nzpmxfn-2lsOB_cXehsw-OB15W0y3Bor2kFImokBWhW3qsHgkouOx8D3KSNHtIrtrdz3W8O9WwXiWEcPn3rtgZ-5qg6VBPcC9SHay1Bbaeqz3tjWGptMKPQFEpB7bKNbNlQjwtj4B-WbmRAz-s6X24RqOJsUS1frAe6eDn85RUY5lsQuZfsK8TL3mEC75Wcpc863nrf2AVTrtH6uBaKxlV6BQIDVBSTWquTH2DRRexzeEADYJwleaWr4H2eJN-C3kOcDF7pSInIsC3Q81-AAWjrWq6dfy2UKzif9bS265gnC3itNHeT2wySZYC7KulRzuDW1mhwM8jgX-ilk9Qg8xqr-Vh7eCF0igWwP2UHGNxrGd-f8j5Uc6eIw8guzZqqSveUmF83LOHe4Cy9RBybF7RdJHo8KZ6i4D8sR4kGP-1VhXirIQ3-DBZS-I5Eq3J8ZH_8z6ioLmlBxTx6ePwoQqrtyyaSiWbdvQl5RSVFH3ngOBcQB4KmHoPIYy2PqPoe1-XMhfsh94YgPrEAWSqAlHn6xRPLxyWdoV5OoVYG7BVGaWbfZnlg9PUFQxPJYqfm0_WHvqBO-Lwxyb8QsE
DNT: 1
Host: localhost:3000
Referer: http://localhost:3000/
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36
version: 2.0
This bug report is available on Nuxt community (#c165)
@ghost ghost added the cmty:bug-report label Jun 28, 2018
@gintsgints
Copy link

gintsgints commented Jul 1, 2018

Do you have /api/logout implemented?
I got case, when it is not implemented, logout does not work at all.

  1. So change in project source /examples/api/auth.js and comment out all [POST] /logout function.
  2. Then I log in and get to secure page.
  3. After I push logout button, I still can access secure page.

@iamsayantan
Copy link
Author

Yes, api/logout is implemented. After logout refreshing the page seems to be resolving the issue. So for now i am doing a page refresh after a logout. So it works okay for now.

@nathanchase
Copy link

I'm having a problem where if I call this.$auth.logout(), it seems to update the state (loggedIn changes to false), and it appears as if I were logged out, but then if I reload the browser, I'm immediately logged back in.

Even opening other browsers (IE, Firefox, Chrome) that I had never opened before, and after ensuring I've cleared my localStorage, cookies, if I open http://localhost:3000 I'm already logged in, and the cookie/localStorage repopulates.

Is there something happening on the server-side that's creating a cookie or localStorage that I can't see from the client-side (browser)?

@Chathula
Copy link

Chathula commented Aug 9, 2018

@nathanchase exact issue here :( state has user response. i can't see even any network request in devtools

@nathanchase
Copy link

@Chathula Well, I solved it by ensuring that I had a user object. If there's no user object, then loggedIn will ALWAYS be set to true, because of this: #213

@Chathula
Copy link

@nathanchase can u show me some code example?

@Chathula
Copy link

@pi0 can u look into this issue? i am waiting to launch my app

@nathanchase
Copy link

@Chathula The problem code is outlined in this related issue: #213

Essentially, if a user object is empty (i.e., in nuxt.config.js auth config, user: false), then the loggedIn state variable will ALWAYS be true, thus giving the appearance of never logging you out.

See this line: https://github.com/nuxt-community/auth-module/blob/dev/lib/core/auth.js#L233

@mkstix6
Copy link

mkstix6 commented Dec 11, 2018

The scenario I'm facing could be related:

Steps:

  1. ✅ Log in as userA (token received, all good)
  2. ✅ User details api fires and I receive details for userA
  3. Log out using this.$auth.logout() (looks logged out in Vuex 👀)
  4. ✅ Try Log in as userB (login API fires, response contains new token 👍)
  5. ⚠️ User details api fires automatically but sends userA's old token.
  6. 👎 I'm now logged in as userA again 😖.
  7. 🤯 Refresh the browser, now logged in as userB.

All I can think is that, although Vuex looks cleared, there is a token stored somewhere that is persisting after clicking log out.

Does anyone think this could be part of the same issue?

@magicknight
Copy link

magicknight commented Dec 28, 2018

It seems that using store.state.auth.loggedIn instead of auth.loggedIn is a working workaround

@cprasarn
Copy link

cprasarn commented Feb 7, 2019

@nathanchase +1 here.

After logged out, the token has been cleared but the "ctx" still has the old "user" and "loggedIn" state.
When initialize the "state" in the "storage", the "state" copies the "ctx" old auth data.

https://github.com/nuxt-community/auth-module/blob/dev/lib/core/storage.js#L91

@olibia
Copy link

olibia commented Jul 1, 2019

The token persists in Authorization header. If you remove it before a new login, it works as expected:

this.$auth.strategies.local.options.endpoints.user.headers['Authorization'] = null

@craigPeckett
Copy link

The scenario I'm facing could be related:

Steps:

  1. ✅ Log in as userA (token received, all good)
  2. ✅ User details api fires and I receive details for userA
  3. Log out using this.$auth.logout() (looks logged out in Vuex 👀)
  4. ✅ Try Log in as userB (login API fires, response contains new token 👍)
  5. ⚠️ User details api fires automatically but sends userA's old token.
  6. 👎 I'm now logged in as userA again 😖.
  7. 🤯 Refresh the browser, now logged in as userB.

All I can think is that, although Vuex looks cleared, there is a token stored somewhere that is persisting after clicking log out.

Does anyone think this could be part of the same issue?

@mkstix6 did you manage to find a solution to this? i am having the same issue but only seems to be with ie

@mkstix6
Copy link

mkstix6 commented Apr 19, 2020

@craigPeckett and @ankitarora05, our code still includes @olibia 's suggestion above.
If I remove that code I immediately start experiencing issues with repeat logins again.

Thank you @olibia .

Just wanted to note that some of our package versions are a little old now:
nuxt 2.10.1
@nuxtjs/auth 4.9.0

@codeofsumit
Copy link

How can we manually clear the tokens until this is fixed? I'm using auth0

@JoaoPedroAS51
Copy link
Collaborator

Hi @codeofsumit! What version of auth module are you using?

@codeofsumit
Copy link

codeofsumit commented May 3, 2020

@JoaoPedroAS51
EDIT: 4.9.0

@JoaoPedroAS51
Copy link
Collaborator

JoaoPedroAS51 commented May 3, 2020

@codeofsumit Thanks. I will make some tests and see if I can find the issue :)

You can clear the tokens using this.$auth.setToken('auth0', false) and this.$auth.setRefreshToken('auth0', false)
And to clear axios header, use this.$axios.setHeader('Authorization', false)

@codeofsumit
Copy link

codeofsumit commented May 3, 2020

Thanks @JoaoPedroAS51 - this is my logout action now:

async logout({ state, commit }) {
    this.$auth.setToken(false)
    this.$auth.setRefreshToken(false)
    this.$axios.setHeader('Authorization', false)

    window.location = `https://${process.env.VUE_APP_AUTHDOMAIN}/v2/logout?returnTo=${window.location.origin}/logout`
},

However, after returning from auth0's logout endpoint, the token is still set in axios.

image

Seems like the Cookie isn't cleared
image

@pi0
Copy link
Member

pi0 commented May 3, 2020

@codeofsumit Can you try $auth.$storage.removeUniversal('_token.auth0')?

@JoaoPedroAS51
Copy link
Collaborator

JoaoPedroAS51 commented May 3, 2020

@codeofsumit Oh sorry I forgot to mention that setToken and setRefreshToken requires strategy as first parameter.
Try this.$auth.setToken('auth0', false) and this.$auth.setRefreshToken('auth0', false)

@JoaoPedroAS51
Copy link
Collaborator

@codeofsumit I'm testing here and seems to be working. I think an easier solution is to use this.$auth.logout() instead of manually remove tokens.

async logout({ state, commit }) {
    await this.$auth.logout()
    window.location = `https://${process.env.VUE_APP_AUTHDOMAIN}/v2/logout?returnTo=${window.location.origin}/logout`
},

@JoaoPedroAS51
Copy link
Collaborator

Hi @mkstix6! What scheme are you using?

@codeofsumit
Copy link

@JoaoPedroAS51 thanks for reminding me. I tried this in the past but somehow it wasn't working as expected so I removed it. It's working fine now and is the best solution of course ❤️
Thanks a lot.

Looking forward to the next version where tokens are refreshed 🎉

@mkstix6
Copy link

mkstix6 commented May 4, 2020

Hi @mkstix6! What scheme are you using?

Hey, ours is configured like so (perhaps there's something weird in there):

auth: {
    strategies: {
      local: {
        endpoints: {
          login: {
            url: '/api/auth/login',
            method: 'post',
            propertyName: 'access_token',
            userinfo_endpoint: false
          },
          logout: {
            url: '/api/auth/logout',
            method: 'get'
          },
          user: {
            url: '/api/user/details',
            method: 'get',
            propertyName: false,
            headers: { Accept: 'application/json' },
            tokenRequired: true,
            tokenType: 'Bearer',
            userinfo_endpoint: false
          }
        },
        tokenRequired: true,
        tokenType: 'Bearer'
      }
    }
}

@JoaoPedroAS51
Copy link
Collaborator

JoaoPedroAS51 commented May 4, 2020

@mkstix6 Your config looks good to me. But I think userinfo_endpoint is not an option.
Also tokenRequired and tokenType don't need to be set inside user object. :)

What version are you using now?

Did you say that using this solves your problem, right?

this.$auth.strategies.local.options.endpoints.user.headers['Authorization'] = null

@mkstix6
Copy link

mkstix6 commented May 5, 2020

  • Thanks.
  • I'm still on @nuxtjs/auth 4.9.0 and nuxt 2.10.1.
  • Yes, that code seemed to make logging in and logging out more stable once I added it a while back. Note: regarding my recent comment I only quickly tried removing it and re-testing it.

@suecharo
Copy link

suecharo commented Jun 2, 2020

I faced a similar issue when using GitHub's Oauth2 authentication.
The version of the module is @nuxtjs/auth 4.9.1.

Steps:

✅ Log in as userA (token received, all good)
✅ User details api fires and I receive details for userA
Log out using this.$auth.logout() (looks logged out in Vuex 👀)
✅ Try Log in as userB (login API fires, response contains new token 👍)
⚠️ User details api fires automatically but sends userA's old token.
👎 I'm now logged in as userA again 😖.
🤯 Refresh the browser, now logged in as userB.

The symptom above may be caused by a cookie from github.com being left in the browser.
Therefore, I deleted the cookie of github.com or requested the logout endpoint of api.github.com directly.
Then I can log in as a different user.

It would be appreciated if you could modify, or add some options.

@belgianMuscle
Copy link

Hey All.
So in my case I was using Auth0, I was having very similar symptoms and just could not figure it out. None of these solutions worked, except for the fact that it was required to call window.location 'http://{auth0 domain}/v2/logout....' The one thing I was forgetting was to add the client_id to the url... That was required for Auth0 to be able and delete those cookies.

@apryamostanov
Copy link

Hey All.
So in my case I was using Auth0, I was having very similar symptoms and just could not figure it out. None of these solutions worked, except for the fact that it was required to call window.location 'http://{auth0 domain}/v2/logout....' The one thing I was forgetting was to add the client_id to the url... That was required for Auth0 to be able and delete those cookies.

I think this is fixed in v5, but not in v4:
43eedc7

@n4an
Copy link

n4an commented Nov 14, 2020

I have problem, the api/aut/logout request was pending forever and not log out with redirect because of the, I think:
[HPM] Error occurred while trying to proxy request /xapi/auth/logout from localhost:3000 to http://localhost:3000 (ECONNRESET) (https://nodejs.org/api/errors.html#errors_common_system_errors) (repeated 28253 times)

But other api call work well?!

@JoaoPedroAS51
Copy link
Collaborator

Closing here, as this issue should be fixed in auth v5. We now recommend using v5 instead of v4. See status and #893

@Benyaminrmb
Copy link

if u are using nuxt auth u can try

this.$auth.strategy.token.reset();

@unaisp
Copy link

unaisp commented May 26, 2021

The scenario I'm facing could be related:
Steps:

  1. white_check_mark Log in as userA (token received, all good)
  2. white_check_mark User details api fires and I receive details for userA
  3. Log out using this.$auth.logout() (looks logged out in Vuex eyes)
  4. white_check_mark Try Log in as userB (login API fires, response contains new token +1)
  5. warning User details api fires automatically but sends userA's old token.
  6. -1 I'm now logged in as userA again confounded.
  7. exploding_head Refresh the browser, now logged in as userB.

All I can think is that, although Vuex looks cleared, there is a token stored somewhere that is persisting after clicking log out.
Does anyone think this could be part of the same issue?

@mkstix6 did you manage to find a solution to this? i am having the same issue but only seems to be with ie

Did you find a fix for this I am also facing the same issue

Its deployed on production
https://webpd.gamecom.app/

I am not sure I have tried clearing all tokens and storage but still the same problem

the solution is to delete the token in the backend on logout operation. Thus the upcoming requests (from previously opened tabs) with an old tokens will be blocked.

class api_logout(APIView):
permission_classes = (IsAuthenticated,)
def post(self, request):
request.user.auth_token.delete() # removing tokens
logout(request) # removing sessions
return Response(status=status.HTTP_200_OK)

@agm1984
Copy link

agm1984 commented Jan 7, 2022

Here is our logout function:

const handleLogout = () => {
    this.$auth.strategies.local.reset();
    this.$router.go();
}

That wipes the token out and reloads the current page which triggers the auth middleware which redirects the user to the login page using the Nuxt Auth middleware. https://auth.nuxtjs.org/guide/middleware/

You can console.log(this.$auth) or console.log(this.$auth.strategies) to see what's available, and look for the reset function. Ours is called local because that's what our strategy is called in the nuxt.config.js file.

@starofsky
Copy link

I have same issue while log in the second time and duplicate tab which have old account in first log in

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests