Ensure users who log out no longer receive events

HISTORY.md

@@ -23,6 +23,7 @@ Not yet released. These are the changes so far...
 * Added documentation in Korean (thanks EngForDev)
 * Enable proper handling of question marks and params when routing HTTP requests (thanks matthiasg)
 * In newly generated projects `ss.define.client()` now lists client libs explicitly to avoid confusion over load order
+* Added ability to call `req.session.setUserId(null, cb)` when a user signs out
 * Updated bundled jQuery to 1.7.2
 
 

doc/guide/en/authentication.md

@@ -30,7 +30,11 @@ exports.actions = function(req, res, ss){
         res('Access denied!');
       }
 
-  	}
+  	},
+
+    logout: function(){
+      req.session.setUserId(null);
+    }
   }
 }
 

doc/guide/en/pub_sub_events.md

@@ -70,6 +70,8 @@ Once a user has been [authenticated](https://github.com/socketstream/socketstrea
 ss.publish.user('fred', 'specialOffer', 'Here is a special offer just for you!');
 ```
 
+Important: When a user signs out of your app, you should call `req.session.setUserId(null, cb)` to prevent the browser from receiving future events addressed to that `userId`. Note: This command only affects the current session. If the user is logged in via other devices/sessions these will be unaffected.
+
 
 
 ### 4. Sending to Individual Clients (browser tabs)

src/session/index.coffee

@@ -51,8 +51,12 @@ exports.find = (sessionId, socketId, cb) ->
     session.channel = channels(session, socketId)
 
     session.setUserId = (userId, cb = ->) ->
-      @userId = userId
-      @_bindToSocket()
+      if userId
+        @userId = userId
+        @_bindToSocket()
+      else if @userId # if null (i.e. user has signed out)
+        subscriptions.user.remove(@userId, socketId)
+        delete @userId
       @save(cb)
 
     session._bindToSocket = ->