I've tried different approaches but none of them worked. My current logout function looks like this:
authRouter.post('/logout', (req, res, next) => {
res.clearCookie('connect.sid');
req.logout(function(err) {
req.session.destroy(function (err) {
res.send();
});
});
});
The requests for this endpoint go through, but they are not effective in actually logging out the user
I have to note that this function:
- does not remove/change the row in the sqlite db that stores the session
- does not remove/change the cookie stored by the browser
- does not stop the user from using secured endpoints, I use this function to check if the user should be able to access endpoints:
const isAuth = (req, res, next) => {
if (req.user) next();
else {
res.json({ loggedIn: false });
}
};
For the record, this is how I make the request on my frontend:
await axios.post('/auth/logout', { withCredentials: true });
I've seen posts online claiming that this is intentional but that doesn't seem right to me. I understand the logic that a google user should remain logged in on my app as long as they are logged in to their google account anywhere else on the browser but it should still be possible to exclusively be logged out of my app. If a user has to specifically log into my app they should be able to log out. I definitely don't want to use a method where my user has to log out of every google app. It seems silly to document logging out of google oauth if it's not possible (https://www.passportjs.org/tutorials/google/logout/)