You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The logout endpoint takes the userId in the url param. Meaning that you can pass any known ID to log out a user. Even though we have the id in an encoded form, we should remove the id param.
Work:
Use /logout without the id param. Find alternative to retrieve the current user and the issue to logout api call.
The text was updated successfully, but these errors were encountered:
The storefront express server should be able to retrieve necessary information from the current cookie-session for this.
It could pass an auth token as header to the backend. The backend should be able to use hydra introspection to retrieve the belonging Reacton user in the same manner other graphql calls are validated and then process the meteor logout.
Actually to keep it streamlined, the current meteor/webapp-based /logout endpoint could be replaced by a GraphQL Mutation to make use of the already existing auth validation. AFAIK there is no need for a redirect here as this will just be called by the storefront express server, which then does a req.logout() to also get rid of the passport session.
Rationale for why this is necessary
The logout endpoint takes the userId in the url param. Meaning that you can pass any known ID to log out a user. Even though we have the id in an encoded form, we should remove the id param.
Work:
Use
/logout
without the id param. Find alternative to retrieve the current user and the issue to logout api call.The text was updated successfully, but these errors were encountered: