express-stormpath icon indicating copy to clipboard operation
express-stormpath copied to clipboard
verified publisher icon stormpath

Logout succeeds without token revocation

Open sshymko opened this issue 9 years ago • 0 comments

Built-in endpoint /logout returns successful 200 OK status even when no tokens (access and/or refresh) have been revoked. That can happen when no tokens have been passed as part of a request as they're not required.

This behavior opens the door for mistakes in a client application that can easily go unnoticed because the "logout" appears to succeed.

The expected behavior would be to require passing access token. The call should succeed upon invalidation of a known token only.

Refresh token being optional allows to mistakenly omit it in the request as well. That can easily happen due to the domain/path scope of cookies. In this case the "logout" will be misinterpreted as successful even though the refresh token remains valid.

sshymko avatar Mar 01 '17 06:03 sshymko