Bug: Logging out using redirect authentication does not log out the user #1147
Comments
theodesp
added
type: bug
|
Hey @cfg-fadica. Thank you for mentioning this one. I think this is the expected result when using this hook and providing the It's true that clicking logout will clear the auth and the cookie for that instance. However once you reload the page it will try to authenticate again using redirect. You see according to the docs here when you use this hook into your page and provide the If you logout from WordPress then the whole process is reversed and you will have to login again. If you wish to disable redirects on load you should use the
Now if you wish to control this better you should be using a login button instead of having I hope this paints a better picture. |
theodesp
added
type: question
|
Hi @theodesp, Do you mean that I have to implement my own separate log out from WordPress in order for this to work? I thought that I've used So, in conclusion, I am reporting that the actual bug is that WordPress cookies are not destroyed. |
|
Hi there. I had to switch accounts. I am the ghost above, formerly cfg-fadica. |
|
@jonjakoblich When you call logout, the framework invalidates the refresh token here and clears the cookie. You can verify this by loading the page using Then go to your code and change If you reload the page with It will try to authenticate, get the access token and populate the auth cookie every time. When you click logout it will temporarily clear the cookie for a moment but then the whole process will start again as the Check this recording: Screen.Recording.2022-11-17.at.10.52.42.mov |
|
Hi @theodesp. Thank you for this. I replicated the same steps you took using Faust.Bug.mp4Faust does not terminate the WordPress session, and to me it seems that it should have been terminated on What is the effective way to log out a user using |
|
Hey @jonjakoblich. Thats is true. We don't destroy the session there. Maybe this is a good feature request that we may investigate. I will create a ticket in our backlog. As for using the import * as React from 'react';
import {client} from 'client'
export default function MyPage() {
// start with no redirect
const [shouldRedirect, setShouldRedirect] = React.useState(false);
const { isLoading: isAuthLoading, isAuthenticated } = client.auth.useAuth({
shouldRedirect
});
const login = () => {
// redirect to login once user clicks button.
setShouldRedirect(true);
};
React.useEffect(() => {
// Once authenticated then disable the automatic redirect.
if (isAuthenticated && shouldRedirect) {
setShouldRedirect(false);
}
}, [shouldRedirect, isAuthenticated])
const { isLoggedOut, logout } = client.auth.useLogout()
/**
* Not authenticated
*/
if ( !isAuthenticated || isLoggedOut ) {
return <div>Not authenticated. <a href="#" onClick={() => login()}>Login</a></div>
}
return (
<div>
<p>My auth content</p>
<a href="#" onClick={() => logout()}>Log out</a>
</div>
)
}I've added a recording. for this functionality: Screen.Recording.2022-11-17.at.16.28.34.mov |
|
Hi @theodesp. Thank you for that work around. As your video demonstrates, and as I found in testing it, the user is never really logged out because the WordPress cookie still persists, thus on redirect they are not taken to a log in page. The specific problem I am trying to solve is to have a user both logged in to the front end and the back end without having to log in separately. I was hoping redirect authentication would address this, but its tradeoff is that the user is never logged out from the backend. I prefer using the local authentication because I can create my own login page, but logging in a user to the backend at the same time is proving challenging. My work around for now is to adapt your solution above to the following. import {client} from 'client'
import { useRouter } from 'next/router'
import { useEffect, useState } from 'react'
export default function MyPage() {
const router = useRouter()
const [ shouldRedirect, setShouldRedirect ] = useState(false)
const { isLoading: isAuthLoading, isAuthenticated } = client.auth.useAuth({
shouldRedirect,
})
useEffect(() => {
if( isAuthenticated && shouldRedirect ) {
setShouldRedirect(false);
}
if( !isAuthenticated ) {
setShouldRedirect(true);
}
}, [shouldRedirect, isAuthenticated])
const { isLoggedOut, logout } = client.auth.useLogout()
const customLogout = () => {
logout().then((res) => {
router.push(process.env.NEXT_PUBLIC_WORDPRESS_URL + '/wp-login.php?action=logout')
})
}
/**
* Not authenticated
*/
if ( !isAuthenticated || isLoggedOut ) {
return <div>Not authenticated</div>
}
return (
<div>
<p>My auth content</p>
<a href="#" onClick={() => customLogout()}>Log out</a>
</div>
)
}And on the back end, in a custom plugin I added the following code to eliminate the nonce check (and prompt when it is missing) on log out. /**
* Allow logout without _wpnonce confirmation
*/
add_action('check_admin_referer', function ($action, $result) {
if ( $action == "log-out" && !isset( $_GET['_wpnonce'] ) ) {
$redirect_to = isset( $_REQUEST['redirect_to'] ) ? $_REQUEST['redirect_to'] : $_SERVER['HTTP_REFERRER'];
$location = str_replace( '&', '&', wp_logout_url( $redirect_to ) );
header( "Location: $location" );
die;
}
}, 10, 2);I appreciate that you added my request to the backlog and I look forward to a solution that addresses this issue without a workaround. |
|
Sure I've added a ticket for this and will follow up soon. |
theodesp
added
type: feature
|
@Fran-A-Dev and I experienced this behavior as well when using redirect-based auth to answer a question in Discord as an FYI |
|
Just chiming in here as well to say it would be great to see this feature added to the framework. I’ve just had this issue today when messaging on Discord. It’s pretty confusing, especially for customers on the front end who won’t have access to the backend to logout in both places. Would love to see this behaviour added in without workarounds 😀 |
|
Would love to see this implemented as well! |
When logging out using the redirect method of authentication, the
frontend cookieWordPress authentication persists and the user remains logged in to the application. I was able to reproduce this on a fresh install.Applicable Versions
@faustjs/coreversion: 0.15.7@faustjs/reactversion: 0.15.7@faustjs/nextversion: 0.15.9Steps To Reproduce
Contents of src/pages/authpage.tsx
Link to code example: https://github.com/cfg-fadica/faustjs-logout-demo
The current behavior
User remains logged in after using the
logout()function exported fromclient.auth.useLogout(). Thefrontend app cookieWordPress authentication persists.The expected behavior
When thelogout()function is fired, frontend app cookie would be destroyed and user would be logged out, unable to access the authenticated content without logging in again.EDIT:
When the
logout()function is fired, WordPress cookies would be destroyed and user would be logged out, unable to access the authenticated content without logging in again.The text was updated successfully, but these errors were encountered: