Uppy: Companion: 'Dropbox Integration logout' does not sign out (Security concern)

I've replicated the same issue with the Google Drive logout. Any thoughts?

I think there's a misunderstanding in the behaviour here. What the logout button does is destroy the currently available token it uses to access your data. So if you try to connect to Google Drive again, it has to request for another token. It DOES NOT disconnect Uppy from your Google Drive app completely.

To disconnect Uppy from your Google Drive app completely, you need to go here https://myaccount.google.com/permissions and remove Uppy from the permitted apps. There are similar functionalities with other providers.

Thanks for the quick reply, however I expect the log out button to log out....

If I was a single user and I want to connect with the same provider with two sets of credentials [two instagram accounts for example]. I cant, I just get into a loop of logging out and then rehitting the 'connect to instagram' button within uppy. I get signed directly back in.

I understand that this can be managed outside the uppy component but would expect the log out button to trigger the disconnect. (otherwise whats the point of having a log out button?)

This is even worse if multiple users are on the same machine. If the tab is closed and then reopened, The next user can then access my files.

I love the work on the uppy component :)

If I was a single user and I want to connect with the same provider with two sets of credentials [two instagram accounts for example]. I cant, I just get into a loop of logging out and then rehitting the 'connect to instagram' button within uppy. I get signed directly back in.

If we disconnect from the app totally on our side, you will still end up in a loop, because it attempts to connect with the Dropbox account currently logged in on your browser. So it will still try to connect you with that account (only difference is that it asks for permission again), unless you logout that Dropbox account and login to a different Dropbox account.

(otherwise whats the point of having a log out button?)

The point of the logout is so that it discards any access token which can be used to access your account. If this token is not discarded, uppy/companion can still read your data even if you've logged out of Dropbox on your browser.

This is even worse if multiple users are on the same machine. If the tab is closed and then reopened, The next user can then access my files.

If multiple users are on the same machine and your Dropbox account is still in session, a different user can equally access your Dropbox account without uppy. (S)he just needs to navigate the browser to https://dropbox.com . So the solution really is to log out from your Dropbox account and login to a different one if you want to access a different account.

Thanks for your comments @ifedapoolarewaju, really helpful.

I've compared the integration behaviour with the same provided by Filestack https://www.filestack.com/. Of course it works in the same way in that 'Signing out' is destroying the current token, but leaves the user signed in to those services in the browser too.

A critical key difference seems to be how Filestack have implemented the sign in behaviour with Google Drive. Google allow for a 'prompt' to the OAuth2 endpoint, It looks like Filestack are using these to prompt a user through the 'Choose an account' and 'Consent' workflow each time.

This gives the user a simple means of switching between multiple google accounts when they logout and connect again.

https://developers.google.com/identity/protocols/OAuth2UserAgent

Prompt | Optional.

A space-delimited, case-sensitive list of prompts to present the user. If you don't specify this parameter, the user will be prompted only the first time your app requests access.

Possible values are:
none
Do not display any authentication or consent screens. Must not be specified with other values.
consent
Prompt the user for consent.
select_account
Prompt the user to select an account.

I think this would be a great addition to the sign in workflow for Drive?

As a user, though, it still feels that 'logout' is really misleading, but as you say, even revoking the token completely wouldn't sign the user out of the service, but simply require them to provide consent again.

Would it be possible to have an event raised on logout, so that it can then be dealt with in other ways, for example providing users feedback as to what logout has actually done etc

Thanks for all the great work - we love Uppy

IMHO this (logout behaviour) is not only a topic about security and usability (possibility to use multiple accounts as @mortalcompiler describes)
but also a topic of "felt security":
Do I trust that everything is okay here?
If I'm not sure about this, it may be a reason to avoid using this function/the website/this service again in the future.
So if one could make it as transparent and "expectation conform" as possible (Log out feels like logout) it would be a really valuable extension of this already awesome uppy !

After discussing with the team, we decided that a possible solution to this issues is:

1. If available in the Provider API, we unauthorize uppy's access to the provider after a user logs out
2. If NOT available in the Provider API, we delete the available token, and we display an informer message: To unauthorize this file uploader from your Instagram account, please go to <a href="instagram/settings/oauth">instagram/settings/oauth</a> as unfortunately I can't do this myself.

Sounds like a great solution and thanks for looking into this.