Client keep user information even if logged out
document.querySelector("sib-auth").session
and document.querySelector("sib-auth").getUser()
will still return user information, even if this one is not logged in anymore on server.
To reproduce:
- Login from any client
- Go to any URL of the server, then remove cookies of the server (not from client) 2b. Ensure that you are logged out -> Go to http://your_server/check-user/ it must return nothing.
- Reload client. You'll still be logged in, session will be known as "valid", but no request will work as you are currently disconnected on server side.
Attended behavior: After being logged out from a server, I expect the client to turn back to "un-logged in" state. If I reload the page, I expect it to don't keep any information about me.
This issue is one of the main behavior problem on Sib App as you'll still see you as logged in after your token expire on server but nothing will work (No circle, no project, no chat). As long a sib-oidc
still return a "valid" value from getUser
, we can't work around to ensure the user is really logged in.
@balessan Giving that to you, I don't know who is in charge here. :)
@alexandre @rachel Finally a track to follow about this kind of issue: https://git.startinblox.com/applications/sib-app/issues/382