Auth-module: Logout does not clear the tokens

Do you have /api/logout implemented?
I got case, when it is not implemented, logout does not work at all.

1. So change in project source /examples/api/auth.js and comment out all [POST] /logout function.
2. Then I log in and get to secure page.
3. After I push logout button, I still can access secure page.

Yes, api/logout is implemented. After logout refreshing the page seems to be resolving the issue. So for now i am doing a page refresh after a logout. So it works okay for now.

I'm having a problem where if I call this.$auth.logout(), it seems to update the state (loggedIn changes to false), and it appears as if I were logged out, but then if I reload the browser, I'm immediately logged back in.

Even opening other browsers (IE, Firefox, Chrome) that I had never opened before, and after ensuring I've cleared my localStorage, cookies, if I open http://localhost:3000 I'm already logged in, and the cookie/localStorage repopulates.

Is there something happening on the server-side that's creating a cookie or localStorage that I can't see from the client-side (browser)?

@nathanchase exact issue here :( state has user response. i can't see even any network request in devtools

@Chathula Well, I solved it by ensuring that I had a user object. If there's no user object, then loggedIn will ALWAYS be set to true, because of this: https://github.com/nuxt-community/auth-module/issues/213

@nathanchase can u show me some code example?

@pi0 can u look into this issue? i am waiting to launch my app

@Chathula The problem code is outlined in this related issue: https://github.com/nuxt-community/auth-module/issues/213

Essentially, if a user object is empty (i.e., in nuxt.config.js auth config, user: false), then the loggedIn state variable will ALWAYS be true, thus giving the appearance of never logging you out.

See this line: https://github.com/nuxt-community/auth-module/blob/dev/lib/core/auth.js#L233

The scenario I'm facing could be related:

Steps:

1. ✅ Log in as userA (token received, all good)
2. ✅ User details api fires and I receive details for userA
3. Log out using this.$auth.logout() (looks logged out in Vuex 👀)
4. ✅ Try Log in as userB (login API fires, response contains new token 👍)
5. ⚠️ User details api fires automatically _but sends userA's old token_.
6. 👎 _I'm now logged in as userA again_ 😖.
7. 🤯 Refresh the browser, now logged in as userB.

All I can think is that, although Vuex looks cleared, there is a token stored somewhere that is persisting after clicking log out.

Does anyone think this could be part of the same issue?

It seems that using store.state.auth.loggedIn instead of auth.loggedIn is a working workaround

@nathanchase +1 here.

After logged out, the token has been cleared but the "ctx" still has the old "user" and "loggedIn" state.
When initialize the "state" in the "storage", the "state" copies the "ctx" old auth data.

https://github.com/nuxt-community/auth-module/blob/dev/lib/core/storage.js#L91

The token persists in Authorization header. If you remove it before a new login, it works as expected:

this.$auth.strategies.local.options.endpoints.user.headers['Authorization'] = null

The scenario I'm facing could be related:

Steps:

1. ✅ Log in as userA (token received, all good)
2. ✅ User details api fires and I receive details for userA
3. Log out using this.$auth.logout() (looks logged out in Vuex 👀)
4. ✅ Try Log in as userB (login API fires, response contains new token 👍)
5. ⚠️ User details api fires automatically _but sends userA's old token_.
6. 👎 _I'm now logged in as userA again_ 😖.
7. 🤯 Refresh the browser, now logged in as userB.

All I can think is that, although Vuex looks cleared, there is a token stored somewhere that is persisting after clicking log out.

Does anyone think this could be part of the same issue?

@mkstix6 did you manage to find a solution to this? i am having the same issue but only seems to be with ie

The scenario I'm facing could be related:
Steps:

1. ✅ Log in as userA (token received, all good)
2. ✅ User details api fires and I receive details for userA
3. Log out using this.$auth.logout() (looks logged out in Vuex 👀)
4. ✅ Try Log in as userB (login API fires, response contains new token 👍)
5. ⚠️ User details api fires automatically _but sends userA's old token_.
6. 👎 _I'm now logged in as userA again_ 😖.
7. 🤯 Refresh the browser, now logged in as userB.

All I can think is that, although Vuex looks cleared, there is a token stored somewhere that is persisting after clicking log out.
Does anyone think this could be part of the same issue?

@mkstix6 did you manage to find a solution to this? i am having the same issue but only seems to be with ie

Did you find a fix for this I am also facing the same issue

Its deployed on production
https://webpd.gamecom.app/

I am not sure I have tried clearing all tokens and storage but still the same problem

@craigPeckett and @ankitarora05, our code still includes @olibia 's suggestion above.
If I remove that code I immediately start experiencing issues with repeat logins again.

Thank you @olibia .

Just wanted to note that some of our package versions are a little old now:
nuxt 2.10.1
@nuxtjs/auth 4.9.0

How can we manually clear the tokens until this is fixed? I'm using auth0

Hi @codeofsumit! What version of auth module are you using?

@JoaoPedroAS51
EDIT: 4.9.0

@codeofsumit Thanks. I will make some tests and see if I can find the issue :)

You can clear the tokens using this.$auth.setToken('auth0', false) and this.$auth.setRefreshToken('auth0', false)
And to clear axios header, use this.$axios.setHeader('Authorization', false)

Thanks @JoaoPedroAS51 - this is my logout action now:

async logout({ state, commit }) {
    this.$auth.setToken(false)
    this.$auth.setRefreshToken(false)
    this.$axios.setHeader('Authorization', false)

    window.location = `https://${process.env.VUE_APP_AUTHDOMAIN}/v2/logout?returnTo=${window.location.origin}/logout`
},

However, after returning from auth0's logout endpoint, the token is still set in axios.

Seems like the Cookie isn't cleared

@codeofsumit Can you try $auth.$storage.removeUniversal('_token.auth0')?

@codeofsumit Oh sorry I forgot to mention that setToken and setRefreshToken requires strategy as first parameter.
Try this.$auth.setToken('auth0', false) and this.$auth.setRefreshToken('auth0', false)

@codeofsumit I'm testing here and seems to be working. I think an easier solution is to use this.$auth.logout() instead of manually remove tokens.

async logout({ state, commit }) {
    await this.$auth.logout()
    window.location = `https://${process.env.VUE_APP_AUTHDOMAIN}/v2/logout?returnTo=${window.location.origin}/logout`
},

Hi @mkstix6! What scheme are you using?

@JoaoPedroAS51 thanks for reminding me. I tried this in the past but somehow it wasn't working as expected so I removed it. It's working fine now and is the best solution of course ❤️
Thanks a lot.

Looking forward to the next version where tokens are refreshed 🎉

Hi @mkstix6! What scheme are you using?

Hey, ours is configured like so (perhaps there's something weird in there):

auth: {
    strategies: {
      local: {
        endpoints: {
          login: {
            url: '/api/auth/login',
            method: 'post',
            propertyName: 'access_token',
            userinfo_endpoint: false
          },
          logout: {
            url: '/api/auth/logout',
            method: 'get'
          },
          user: {
            url: '/api/user/details',
            method: 'get',
            propertyName: false,
            headers: { Accept: 'application/json' },
            tokenRequired: true,
            tokenType: 'Bearer',
            userinfo_endpoint: false
          }
        },
        tokenRequired: true,
        tokenType: 'Bearer'
      }
    }
}

@mkstix6 Your config looks good to me. But I think userinfo_endpoint is not an option.
Also tokenRequired and tokenType don't need to be set inside user object. :)

What version are you using now?

Did you say that using this solves your problem, right?

this.$auth.strategies.local.options.endpoints.user.headers['Authorization'] = null

• Thanks.
• I'm still on @nuxtjs/auth 4.9.0 and nuxt 2.10.1.
• Yes, that code seemed to make logging in and logging out more stable once I added it a while back. Note: regarding my recent comment I only quickly tried removing it and re-testing it.

I faced a similar issue when using GitHub's Oauth2 authentication.
The version of the module is @nuxtjs/auth 4.9.1.

Steps:

✅ Log in as userA (token received, all good)
✅ User details api fires and I receive details for userA
Log out using this.$auth.logout() (looks logged out in Vuex 👀)
✅ Try Log in as userB (login API fires, response contains new token 👍)
⚠️ User details api fires automatically but sends userA's old token.
👎 I'm now logged in as userA again 😖.
🤯 Refresh the browser, now logged in as userB.

The symptom above may be caused by a cookie from github.com being left in the browser.
Therefore, I deleted the cookie of github.com or requested the logout endpoint of api.github.com directly.
Then I can log in as a different user.

It would be appreciated if you could modify, or add some options.

Hey All.
So in my case I was using Auth0, I was having very similar symptoms and just could not figure it out. None of these solutions worked, except for the fact that it was required to call window.location 'http://{auth0 domain}/v2/logout....' The one thing I was forgetting was to add the client_id to the url... That was required for Auth0 to be able and delete those cookies.

Hey All.
So in my case I was using Auth0, I was having very similar symptoms and just could not figure it out. None of these solutions worked, except for the fact that it was required to call window.location 'http://{auth0 domain}/v2/logout....' The one thing I was forgetting was to add the client_id to the url... That was required for Auth0 to be able and delete those cookies.

I think this is fixed in v5, but not in v4:
https://github.com/nuxt-community/auth-module/commit/43eedc767432cbce4eb979ff56c6f52f89eabf41

I have problem, the api/aut/logout request was pending forever and not log out with redirect because of the, I think:
[HPM] Error occurred while trying to proxy request /xapi/auth/logout from localhost:3000 to http://localhost:3000 (ECONNRESET) (https://nodejs.org/api/errors.html#errors_common_system_errors) (repeated 28253 times)

But other api call work well?!

Closing here, as this issue should be fixed in auth v5. We now recommend using v5 instead of v4. See status and #893

if u are using nuxt auth u can try

this.$auth.strategy.token.reset();