Contrib.social

Log out of user seems not to work.

Open on Drupal.org β†’
Created on 7 March 2024, 11 months ago
Updated 1 July 2024, 7 months ago

Problem/Motivation

I am using JWT along with JSONAPI. Login in works as expected and is very nice. But I do have problems to log the user out.

Steps to reproduce

(in Postman)
- Log the user in with the steps described here: https://www.drupal.org/docs/core-modules-and-themes/core-modules/jsonapi... β†’
- delete the cookie which Postman always creates and set up to use the JWT BEARER in Postman and
- try to log out
- I'll always get the message:

{
    "message": "'csrf_token' URL query argument is invalid."
}

I tracked the problem down here: https://www.drupal.org/project/drupal/issues/3421163 πŸ’¬ Logout via REST does not work because of CSRF Check. Active because I thought it might be something in Drupal core. If the session Cookie is present in Postman it works as expected. But when using a JWT cookie in a local storage this should be (? at least I thought ?) enough to auth a user and possibly continue with a session.

If anyone have a suggestion where I might be wrong, help is appreciated.

πŸ› Bug report
Status

Closed: duplicate

Version

2.0

Component

Code

Created by

πŸ‡©πŸ‡ͺGermany ro-no-lo

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @ro-no-lo
  • Comment 11 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States pwolanin

    Can you clarify - you got a session cookie after logging? How did you get the JWT?

  • Status changed to Postponed: needs info 11 months ago
  • Comment 11 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States pwolanin
  • Comment 11 months ago β†’
    πŸ‡©πŸ‡ͺGermany ro-no-lo

    I use Vue3 as a JS Frontend. I save the JWT in the local browser storage. For neat relogin on return. The classic Session Cookie is not present. The JWT Token is. Therefore I do have the JWT Token while logged in.

    I have no idea if that answered your question. As auth, we use the BEARER on each request.

  • Comment 8 months ago β†’
    πŸ‡©πŸ‡ͺGermany ro-no-lo

    I hope I can correctly describe my problem with Postman images.

    The question about the session cookie makes me curious. Why is that needed? Should it be not enough to send the JWT token as Bearer with any request? THe thing is the vue3 SPA Website works flawlessly in terms of requests ONLY the logout does not work.

    If you follow the screenshots by timestamp you'll see why I get the 

    {
    "message": "'csrf_token' URL query argument is invalid."
}

    message.

  • Comment 8 months ago β†’
    πŸ‡©πŸ‡ͺGermany ro-no-lo

    I did digged deeper and want to clarify something. Our frontend is a Vue3 frontend on localhost:3000. The backend however was on a domain like foobar.local. That means, that Drupal had send the session cookie with the domain: ".foobar.local". Vite, the server while developing has forwarded that cookie to the browser via proxy. With that in mind, the Drupal session cookie was never accepted by the browser because of the different domains. After hours of research I found that Vite has settings that the proxy can rewrite the cookie domains to for example localhost. With that in place the logout works because the session cookie is accpeted and will be used in the logout process.

    BUT for whatever reason it still does not work in staging or production environments were the Drupal session domain settings is set to ".foobar.com" and both frontend and backend are on different subdomains. No idea why, but there ist still a problem.

    However, I still don't understand why a session cookie is important, IF a JWT cookie authenticates the user to drupal.

  • Status changed to Needs review 7 months ago
  • Comment 7 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States mradcliffe USA

    I think this was documented in the steps to reproduce in πŸ“Œ Manage user session with jwt Needs review so proposing to close as duplicate. I'm setting to Needs review rather than being bold and closing as duplicate.

  • Comment 7 months ago β†’
    πŸ‡©πŸ‡ͺGermany ro-no-lo

    Seems the same problem or at least related. You may close it.

  • Status changed to Closed: duplicate 7 months ago
  • Comment 7 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States mradcliffe USA

    Closing as duplicate.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024