logout of app errors

[norricorp]

Describe the Bug

Using the directus app, I log in, do stuff and then log out.
Using the browser console there are the following messages.

XHRPOSThttp://localhost:8055/auth/logout
[HTTP/1.1 400 Bad Request 16ms]

GEThttp://localhost:8055/assets/5799c3db-c46a-4bd2-ab06-8d1e90f67ac7
[HTTP/1.1 403 Forbidden 15ms]

Easy enough to try and the messages can be expanded for more details. Shoudl this happen?

To Reproduce

Just log into the directus app and then logout with the browser console open.

I looked at this because I get errors in a front end app when that logs out (using the sdk). They are different errors complaining about the refresh token which by default should be in json. (There is a difference between the sdk logout and the api logout; the latter has the refresh token as a param).

The code seems to have problems getting the token from json.

Hosting Strategy

Self-Hosted (Custom)

[br41nslug]

I am unable to reproduce this using the given information. Could you provide the actual error returned and any other information/configuration required to reproduce this on a new instance.

There is a difference between the sdk logout and the api logout; the latter has the refresh token as a param

They both go to the api logout endpoint but the difference being the SDK defaults to using json while the app relies on the cookie being supplied

[norricorp]

I have just realised what else is needed to get this to show up. My frontend app!
So I log into the directus app and log out - with no logout errors. As you found.
But if I login to directus app with the admin user then log into my frontend app with a different app then log out of the front end app and, after the directus app, I get the auth/logout error in the browser consoles.

I have taken screenshots of the expanded errors.

So it appears that when I logout from the frontend app, which has a logout error, this then sets something in the backend that causes the directus app to suffer the same problem. Also the uncaught promise error occurs (from my code) during a read of
items. The weird thing there is that when the page is first opened, (and no one logged in) the read works. But when it is reread after logout, the read fails. And it should not need a refresh token. Perhaps because the refresh token is not cleared during logout by directus?

So in summary, I appear to have done something that breaks directus backend.

[br41nslug]

It looks like both frontends are using localhost which probably means that both apps have access to the same directus_refresh_token cookie. So when you log in to both in the same browser the last one overwrites the first and subsequently deletes the refresh token from the browser cookie store when logging out.

Does it continue happening when logging it with 2 different browsers? (or with 1 in incognito mode)

[norricorp]

Yes you are right. Frontend in firefox (my default) and directus in Edge gives a clean logout in directus (just noticed the bunny or hare in console!).
So when logging in on my frontend, I do all defaults. Looking at the rest api for auth, the response is access token, an expiry value and the refresh token. I use the sdk, and though data.access_token is present, data.refresh_token is undefined.
So why would this be the case?

[norricorp]

So the object returned from auth.login in the sdk only contains the access token and the expires value. It does not contain the refresh token. Is this what should be happening?

[azrikahar]

So the object returned from auth.login in the sdk only contains the access token and the expires value. It does not contain the refresh token. Is this what should be happening?

It is indeed intended when the mode is cookie (by default on browsers) 👍 Here's a note of it in the docs at https://docs.directus.io/reference/authentication.html#response-attributes: if you used cookie as the mode in the request, the refresh token won't be returned in the JSON.

[norricorp]

I thought mode defaulted to json - I had not seen the comment that it defaults to cookie in browsers.
Is this why I get a console error when logging out when the refresh token is not in json or cookie?

[azrikahar]

I thought mode defaulted to json - I had not seen the comment that it defaults to cookie in browsers. Is this why I get a console error when logging out when the refresh token is not in json or cookie?

It seems like your request headers does in fact do not contain the refresh token from the cookie, so you may need to double check via DevTools whether the cookie exists. You may also be facing CORS issue (hence the cookie may not be set, or sent), so please do check out https://docs.directus.io/self-hosted/config-options.html#cors as well.

[norricorp]

I have spent a lot of time on cors. And I thought I had got it working (in the sense that no CORS errors show up) but CORS is the gift that keeps biting!
My CORS entries in .env are
CORS_ENABLED=true
CORS_ORIGIN="http://localhost:3000, https://mint21-wolfsberg:3000/, https://norricorp.duckdns.org:3000"

Just to add, another console message during logout is a warning
Cookie “directus_refresh_token” has been rejected because it is already expired.

So I changed the code and wrapped the auth.logout in an auth.refresh. The result was
XHR POSThttp://localhost:8055/auth/refresh [HTTP/1.1 401 Unauthorized 29ms]

My Error Code: logout refresh error Error: Invalid user credentials.

So the refresh token doesn't seem to be anywhere?

[azrikahar]

I'm not sure are there any other possibilities off the top of my mind, but try making sure there is no space (after commas) in your CORS_ORIGIN, as a, b, c will become ['a', ' b', ' c'] for example (notice that b and c has an extra space), so b and c won't match b and c respectively. This also reminds me of #17878 (comment).

That being said, I do recommend joining our community Discord server and forward your question over there, so that other community members can help to further debug your current setup as well 👍

[norricorp]

Useful comment on spaces in the cors origin value though not sure how that would cause the refresh token to be lost. Also normally if I have a cors problem then it shows up at Auth login.
I have been using your discord community for several months now and it has been very helpful for some questions.
BTW, 17878 was actually me!
So the fundamental question is why does my login not generate a refresh token?

[norricorp]

So kept the directus app to Edge and my frontend to firefox. In both I see the directus_refresh_token. But I added an unnecessary auth.refresh to see the result, I get an invalid user credentials error.

I commented out the refresh and tried auth.token and that does return the access token.

So I am now getting a refresh token in the cookie but it does not appear to be accessible. Which leads me to a fundamental question. Is auth.refresh using the refresh value token in the cookie? Is it using the access token?

Why is refresh giving invalid user credentials?

[norricorp]

I have just upgraded to sdk 10.3.3 and a few of the problems have gone eg the refresh invalid user messages.