I followed the steps you mentioned, but logout isn’t working properly (from supabase). The application needs to check auth/v1/user to verify if the user is logged in.
If the user is not logged in, it returns a 403 error (Invalid JWT).
If the user is logged in, it provides useful details, including an authenticated status.
Simply deleting the access token doesn’t fully log out the user, because they can still access the session from another device. If someone steals the access token, they can access the account and use the app.
For security, the app should:
Check auth/v1/user on any page. If valid, continue; if not, delete the access token and redirect to login.
- Proper logout requires calling auth/v1/logout.
- After logout, check auth/v1/user again. If the user is still authenticated, check the logout error. If you receive a 403 error, delete the access token and redirect to login.