Access token not removed after logout

[mooreds]

Related: #22

The access and refresh token cookies are set by the example server side code. Since it is set by a server side component, it is not accessible to the react SDK to delete on logout.

When you click logout, you are sent to FusionAuth's logout link: https://github.com/FusionAuth/fusionauth-react-sdk/blob/main/src/providers/FusionAuthProvider.tsx#L100

This kills the FusionAuth managed cookies. We also need to remove any server side non FusionAuth set cookies, such as the access_token.

After the FusionAuth logout URL is processed, it calls the logout url. (Set here by default; https://github.com/FusionAuth/fusionauth-example-react-sdk/blob/main/kickstart/kickstart.json#L60 ). That'd the proper place to nuke the access token and refresh token cookies.

So I think the best path is to create another server side route which receives the logout request, nukes the cookies, and then redirect to the first, unauthenticated page of the react app.

[david-chalk]

@mooreds It looks like this issue has been resolved via the referenced PRs. Are we ready to close this issue?

[mooreds]

I think the only reason to keep this open is to make sure that the same behavior happens in the other SDKs.

[JakeLo123]

I think the only reason to keep this open is to make sure that the same behavior happens in the other SDKs.

...circling back around to this. Since that access_token cookie (since been renamed to app.at) is httpOnly it's not readable by JavaScript. So there should be no action needed for any of the JavaScript SDKs.

I've verified that it's removed by the server in the react example app as well as the hosted endpoint with these followup issues.
FusionAuth/fusionauth-example-react-sdk#27
FusionAuth/fusionauth-quickstart-javascript-react-web#7

With that, closing this issue.