Logout button

  • datomnz-1131130610753220619

    Tom Wrench

    1 year ago

    Hi everyone! Just a quick question on how to get a button to logout a user?

    I'm using Superbase Auth, and thought that simply setting the session cookie to null or blank (instead of containing the token) would do the trick. However this isn't the case!

    Any tips? Thanks! 🙏
    1131130610895831050-image.png
    👍3
  • croco_07-1131202762923843667

    Croco_07

    1 year ago

    Hi ! not sure it's the good practice but setting the session cookie to an empty string seems to be working for me. Not sure though it is the recommended practice
    1131202762739298324-image.png
  • andreasmoller-1131328910773211327

    Andreas Møller

    1 year ago

    Hi Setting the session cookie can work, but the simples option is to link to /.toddle/logout

    Sorry this has not been documented yet :/
    👍4
    💡1
  • datomnz-1131344030807105636

    Tom Wrench

    1 year ago

    /.toddle/logout works great. Thanks Andreas!
  • tomthebigtree-1161721925656129638

    Tom Ireland

    1 year ago

    Sorry for reviving this old discussion but I was wondering what /.toddle/logout does, @Andreas Møller . My current method for logging out is to call logout via Supabase API and then set the session cookie to an empty value (it works) but was also wondering if that was the right way to go about it. When you say link to /.toddle/logout, is that 'Go to URL'?
  • erikbeus-1161914888378134549

    Erik Beuschau

    1 year ago

    The logout endpoint sets the expiration time to 0 for both the id_token and the access_token and asks the browser to redirect to your front page (/)
  • croco_07-1161929148516798466

    Croco_07

    1 year ago

    @Tom Ireland I was doing like you but now use the toddle/logout endpoint and works very well !
    1161929148630048788-2023-10-12_09_29_33-cockpitcanari_-_main_Toddle_editor_Mozilla_Firefox.png
  • tomthebigtree-1161932903668781146

    Tom Ireland

    1 year ago

    Thanks, @Erik Beuschau and @Croco_07 . That seems a sensible implementation just to be 100% everything is cleared properly.
  • patrickmast-1276383594645950464

    Patrick Mast

    8 months ago

    I think this is worth documenting! 😉
    ❤️1
    💯3
  • uunicode-1341377687339667468

    unicodes

    2 months ago

    I followed the steps you mentioned, but logout isn’t working properly (from supabase). The application needs to check auth/v1/user to verify if the user is logged in.

    If the user is not logged in, it returns a 403 error (Invalid JWT).
    If the user is logged in, it provides useful details, including an authenticated status.

    Simply deleting the access token doesn’t fully log out the user, because they can still access the session from another device. If someone steals the access token, they can access the account and use the app.

    For security, the app should:

    Check auth/v1/user on any page. If valid, continue; if not, delete the access token and redirect to login.
    - Proper logout requires calling auth/v1/logout.
    - After logout, check auth/v1/user again. If the user is still authenticated, check the logout error. If you receive a 403 error, delete the access token and redirect to login.