Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Create logout API route and delete tokens #406

Open
kgilles opened this issue May 31, 2024 · 3 comments
Open

Create logout API route and delete tokens #406

kgilles opened this issue May 31, 2024 · 3 comments
Assignees
Labels
enhancement New feature or request

Comments

@kgilles
Copy link
Member

kgilles commented May 31, 2024

Today there's no way to invalidate an auth token via the API. Which means when a user logs out via the UI, the frontend can't tell the backend to remove the active token connected to the user. This token can still be used to make API requests.

This isn't necessarily a big security threat as long as the frontend promptly removes all references to this token, and the token itself is given a very short lifetime. However, I want to share some reasons in favor of deleting these tokens in the backend on logout.

  1. I did say this isn't a big security threat. However, it could still give malicious actors access to more users' active tokens in case database access is gained. Compared to if we would remove these tokens on user logout.
  2. Keeping the tokens alive even after the user has logged out means we can't trust thevalidate_auth* API route response(according to my personal expectations that the it return falsy after the user has logged out).
  3. I believe it's an expectation from the user that there be no way to take actions as the user after they've logged out.

* I'm developing restricted frontend routes which requires the user to be logged in, such as the "create a post"-page. I'd like to use the validate_auth route to know whether the user is logged in or not. And direct the user to the login page if I receive a non-OK response.

Open to discuss.

@kgilles kgilles converted this from a draft issue May 31, 2024
@kgilles kgilles added the enhancement New feature or request label May 31, 2024
@jgrim jgrim moved this from 🆕 New to 🔖 Ready in Sublinks Development May 31, 2024
@jgrim jgrim added this to the Version 0.1 - Parity milestone May 31, 2024
@Pdzly
Copy link
Member

Pdzly commented Jul 22, 2024

Yeah the Sublinks Native API will support that.

@Pdzly
Copy link
Member

Pdzly commented Sep 5, 2024

@kgilles
Added 2 ( 3 ) possibilities.

  1. /api/v1/person/logout ( is a straight up alias for /api/v1/session/invalidate )
  2. /api/1v/session/invalidate
  3. Get all sessions with /api/v1/session/person => get the "key" ( or in this case the id ) related to the logged in token and then you can invalidate ( or delete it ) with DELETE /api/v1/person/invalidate/{sessionkey} or DELETE /api/v1/data/{sessionkey}

@Pdzly Pdzly moved this from 🔖 Ready to 👀 In review in Sublinks Development Sep 5, 2024
@Pdzly
Copy link
Member

Pdzly commented Sep 5, 2024

( currently in the #359 branch )

@Pdzly Pdzly self-assigned this Sep 5, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
Status: 🏗 In progress
Development

No branches or pull requests

3 participants