0

I am logging in user successfully /login and able to show information on my /profile route.

Now, I am trying to /logout the authenticate user, but seems it is not working. When trying passing logout route , nothing is happening. The JWT token is not getting expire so the /profile data is there even after logout click. 

//logout testing
router.post('/logout' , checkAuth, (req, res) => {     
            req.logOut();
            res.status(200).send(["logged out"]).redirect('/login');
});

This is my /profile:-

router.get('/profile', checkAuth, (req, res, data) =>{  
    User.find(req.userData, function(err, users) {
    res.send(req.userData);
  });
});

I want the logout to be global. The user must get logged out from each device user is logged in

WhoAmI
  • 217
  • 1
  • 2
  • 23
  • 1
    Why is the '/logout' route a POST route? – Vishal-L Jan 09 '19 at 09:42
  • @Vishal-Lia I have used POST because of the following https://stackoverflow.com/questions/3521290/logout-get-or-post . Even though I am using GET I am getting the same response with only `["logged out"]` message but not functional working – WhoAmI Jan 09 '19 at 09:50

1 Answers1

0

When you use a JWT your server is stateless, you don't have a session in your server. You must delete the stored JWT from the client side or (but I'm not fan of this technique, it's not a good practice) you can store the list of "revoked" JWT, in the server side, when you logout and check if the token send by the client is on this list. You can also store the date of the last logout and check if the date of the JWT is oldest than the logout date, if is oldest the JWT is not valid.

Arkerone
  • 1,971
  • 2
  • 22
  • 35
  • Ok got it, but I am not working in client side yet . So how will I include session on server side ? Sorry , but I am not familiar with backend node.js – WhoAmI Jan 09 '19 at 10:00
  • If your work only on the server side you must create a JWT with a reasonable expired date and implement the refresh token so when the JWT expired the client use the refresh token to create a new JWT. The storage of the JWT must be do in the client side and when the client logout, he must delete the JWT in his side. It's not really a good practice to store the JWT in the server side. – Arkerone Jan 09 '19 at 10:06
  • I have include expire time of JWT by 1 hr in `/login` route. But now how will I destroy that JWT during logout in server side ? – WhoAmI Jan 09 '19 at 10:26
  • You can't destroy a JWT, all informations are stored inside the JWT. As i said, when you use a JWT your server is staleless, if you want to "destroy" a JWT in the server side you must stored a list of revoked JWT and check for each request if the JWT is on the revoked list but it's not a good practice. – Arkerone Jan 09 '19 at 10:32
  • So that means logout must be handled on client side ? I got you . Thanks – WhoAmI Jan 09 '19 at 10:40
  • You can also store the date of the last logout and check if the date of the JWT is oldest than the logout date, if is oldest the JWT is not valid. – Arkerone Jan 09 '19 at 10:41