-
-
Notifications
You must be signed in to change notification settings - Fork 3.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SvelteKitAuth: signOut is not working when initiated via API call using /auth/signout
#8134
Comments
I think I have seen the same issue with a keycloak provider. I believe that authentication was happening silently (without need to redirect to any kind of login form) because the actual oauth2 session (the source for the auth.js session/session cookie) is persisted by your provider. The
The |
@ksmoore17 - Thanks for reply. But why does things work out on client-side For client-side, in the file next-auth\packages\frameworks-sveltekit\src\lib\client.ts, they don't pass any special params yet the session gets invalidated and scenario works perfectly fine /**
* Signs the user out, by removing the session cookie.
* Automatically adds the CSRF token to the request.
*
* [Documentation](https://authjs.dev/reference/sveltekit/client#signout)
*/
export async function signOut(options?: SignOutParams) {
const { callbackUrl = window.location.href } = options ?? {}
// TODO: Custom base path
// TODO: Remove this since Sveltekit offers the CSRF protection via origin check
const csrfTokenResponse = await fetch("/auth/csrf")
const { csrfToken } = await csrfTokenResponse.json()
const res = await fetch(`/auth/signout`, {
method: "post",
headers: {
"Content-Type": "application/x-www-form-urlencoded",
"X-Auth-Return-Redirect": "1",
},
body: new URLSearchParams({
csrfToken,
callbackUrl,
}),
})
const data = await res.json()
const url = data.url ?? callbackUrl
window.location.href = url
// If url contains a hash, the browser does not reload the page. We reload manually
if (url.includes("#")) window.location.reload()
} If I do the same in my local in +page.server.ts things don't work, this is something that is confusing me alot! |
I hear you.. the server side handling that you and I have implemented (#7979) seems like a hack for some reason, I guess. Maybe something going on inside the |
@ksmoore17 - that what I did i.e. direct post to OIDC endpoint and it worked. Thank you for detailed insights. I still believe core team should work on pin-pointing and focusing this bug as it is weird that things works on client side but not on server side! |
Environment
Reproduction URL
https://github.com/aakash14goplani/SvelteKitAuth-signOut-Bug
Describe the issue
signOut
using API endpoint on server side is not working as expected for SvelteKitAuth package./auth/signout
the request pass through but it does not invalidates session and session-token cookie still persist.signIn
andsignOut
are working fine. Also/auth/signin
i.e.signIn
on server side works fine as well. It is justsignOut
part that is broken.How to reproduce
/
deals with client side login and logout which works perfectly fine./login
page deals with programmatic login using/auth/signin
i.e. as soon as you land on this page, authentication process will trigger on its own. This also works fine./logout
page that deals with programmatic logout using/auth/signout
i.e. as soon as you land on this page, you should get logged out but this does not happens. USer is still logged in andsession-token
cookie still persists! Also there are no visible errors in browser console or CLI.Expected behavior
/auth/signout
The text was updated successfully, but these errors were encountered: