Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Delete logout cookie #153

Merged
merged 6 commits into from
Jan 11, 2023
Merged

Delete logout cookie #153

merged 6 commits into from
Jan 11, 2023

Conversation

psrpinto
Copy link
Member

@psrpinto psrpinto commented Jan 9, 2023
edited
Loading

When the user logs out of WordPress, a chatrix-logout cookie is set, which will result in the logout.ts script runing, which logs out matrix sessions, and deletes all chatrix data in the browser.

However, this cookie wasn't beeing expired after sessions had been logged out, which would result in the script running on all page loads (until the cookie expires). This PR fixes that by expiring the cookie once sessions have been logged out and data deleted.

Addiitionally, as suggested by @ashfame, the logout script is now only being enqueued when the chatrix-logout cookie exists.

@psrpinto psrpinto self-assigned this Jan 9, 2023
@psrpinto psrpinto force-pushed the delete-logout-cookie branch from 255eb3a to c04c8b9 Compare January 9, 2023 15:14
@psrpinto psrpinto requested review from ashfame and akirk January 9, 2023 15:15
ashfame
ashfame reviewed Jan 11, 2023
View reviewed changes
Copy link
Member

@ashfame ashfame left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I suspect this would cause logout issues when used on a website which has caching plugin, so might be safer to always load the logout script file and not based on cookie check. To expand on it, imagine a WP site with logout redirection to homepage and has a caching plugin so homepage load never really checks for cookie presence for loading logout script.

Also, we have another problem with the logout. Inside logoutSession() fetch doesn't reject a 403 http request by design, so a failed logout attempt is considered as a success.

frontend/logout.ts Outdated Show resolved Hide resolved
@psrpinto
Always enqueue logout script when no user is logged in
4180244 
In sites with caching, page would not necessarily contain the script.
We want to make sure script always runs.
It's a very small script, around 500 bytes.
@psrpinto
Only expire cookie on success
c7d525b
@psrpinto
403s and 404s should be considered a failure
3017823
@psrpinto
Log errors as errors
b71428e
@psrpinto psrpinto requested a review from ashfame January 11, 2023 14:45
ashfame
ashfame approved these changes Jan 11, 2023
View reviewed changes
Copy link
Member

@ashfame ashfame left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good!

src/Sessions/logout.php Show resolved Hide resolved
frontend/logout.ts Show resolved Hide resolved
@psrpinto psrpinto merged commit f4574c7 into main Jan 11, 2023
@psrpinto psrpinto deleted the delete-logout-cookie branch January 11, 2023 15:54
@psrpinto psrpinto added this to the 0.5 milestone Jan 11, 2023
This was referenced Jan 25, 2023
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ashfame ashfame ashfame approved these changes

@akirk akirk Awaiting requested review from akirk

Assignees

@psrpinto psrpinto

Labels
None yet
Projects
None yet
Milestone
0.5
Development

Successfully merging this pull request may close these issues.
2 participants
@psrpinto @ashfame