Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove id param from logout endpoint #574

Closed
impactmass opened this issue Sep 5, 2019 · 2 comments
Closed

Remove id param from logout endpoint #574

impactmass opened this issue Sep 5, 2019 · 2 comments
Assignees
@aldeed
Projects
3.0.0

Comments

@impactmass
Copy link
Contributor

Rationale for why this is necessary

The logout endpoint takes the userId in the url param. Meaning that you can pass any known ID to log out a user. Even though we have the id in an encoded form, we should remove the id param.

Work:

Use /logout without the id param. Find alternative to retrieve the current user and the issue to logout api call.
@janus-reith
Copy link
Collaborator

janus-reith commented Oct 13, 2019
edited
Loading

The storefront express server should be able to retrieve necessary information from the current cookie-session for this.
It could pass an auth token as header to the backend. The backend should be able to use hydra introspection to retrieve the belonging Reacton user in the same manner other graphql calls are validated and then process the meteor logout.

Actually to keep it streamlined, the current meteor/webapp-based /logout endpoint could be replaced by a GraphQL Mutation to make use of the already existing auth validation. AFAIK there is no need for a redirect here as this will just be called by the storefront express server, which then does a req.logout() to also get rid of the passport session.

@aldeed aldeed added this to To do in 3.0.0 Oct 25, 2019
@aldeed aldeed self-assigned this Dec 30, 2019
@aldeed aldeed moved this from To do to In progress in 3.0.0 Dec 30, 2019
@aldeed aldeed mentioned this issue Dec 30, 2019
Merged
@aldeed aldeed moved this from In progress to Review in progress in 3.0.0 Dec 30, 2019
@willopez
Copy link
Member

resolved via #637

3.0.0 automation moved this from Review in progress to Done Dec 31, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@aldeed aldeed

Labels
None yet
Projects
No open projects
3.0.0
  
Done
Milestone
No milestone
Development

No branches or pull requests
4 participants
@willopez @janus-reith @aldeed @impactmass