Logout should work across windows and tabs

[csjx]

Shreyas and @vchendrix pointed out that while having MetacatUI opened in two tabs, and logging out in one tab, the user remains logged in in the other tab in that the user can still update the profile information and successfully send new content.

This is possibly a server-side issue with the DataONE portal since we call the /portal/logout endpoint in UserModel.logout(), which should destroy the session and cause subsequent authenticated calls to fail. I will write that up in another ticket.

However, on the client side, we only log out a single instance of MetacatUI by calling window.location. We need a local way to determine the authentication status across windows and tabs, and likely need to use a shared IndexedDB storage location to make this work.

[mbjones]

I think the issue here is that tokens can't be revoked per se. Once they are signed, they are valid. We have no CRL equivalent for tokens. And sessions aren't really involved, I think, in that a new session is created if a token is valid and unexpired.

[csjx]

Hi Matt - So sessions on the server side are involved in that the Coordinating Node stores the token and other information into a hash map keyed with the JSESSIONID cookie in the request. When the user calls /portal/logout on the CN, that entry in the hash should be destroyed, and after looking at the code, I think it actually is destroyed. However, on subsequent calls (from other tabs), my current theory is that the CN doesn't find a session related to the cookie, so redirects the user to ORCID, but ORCID sees the person has signed in within their timeout threshold, and immediately authenticates the user, so the CN mints another token and acts as if the person was logged in. I need to test this though - it's just an idea. But yes, a token revocation list would make this more deterministic.