logout should remove auth session data rather than flushing

[ryanmcgrath]

• [+] I have looked for existing issues (including closed) about this

Bug Report

Version

0.15

Platform

All platforms

Description

Currently, when one signs in with axum-login, session data for auth specifically is written into the session with self.data_key. However, when calling logout, it's calling tower-sessions::Session flush, which obliterates the entire session. This was unexpected behavior - the docs don't note that it's destructive with respect to the entire session - and there are scenarios where one might want to have a session record for non-authenticated users while still having extra data for authenticated users.

axum-login/axum-login/src/session.rs

Line 121 in e959752

self.update_session().await?;

axum-login/axum-login/src/session.rs

Lines 140 to 142 in e959752

	async fn update_session(&mut self) -> Result<(), session::Error> {
	self.session.insert(self.data_key, self.data.clone()).await
	}

axum-login/axum-login/src/session.rs

Line 135 in e959752

self.session.flush().await?;

Is there any design decision/reason that logout can't just pop the data held at self.data_key (and maybe just provide a convenience method akin to logout_and_flush or something)?

[maxcountryman]

Please see the Django reference for the implementation.

This is mentioned in the Django documentation, so I agree it would be a good idea to extend the documentation similarly.

[ryanmcgrath]

Hmm, good point - I probably did the "add after flushing" routine myself in a past life. Doc improvements would def help for the cases where someone runs into this need.