Logout via API doesn't work consistently

(Shirley Yin) #1

I’m using the API to log users out of Discourse from our main app, but it only works intermittently. I’m sending a POST request to /admin/users/{user_id}/log_out?api_username={api_user}&api_key={api_key}, and I always receive a 200 OK response, but sometimes the user is not logged out.

Sometimes I get 403 errors (shown below), but refreshing a few times causes the page to load again, and sometimes I don’t even get 403 errors and I can access content as though I never logged out.

“log out strict” is enabled, but this occurs whether or not this setting is enabled.

(Dongkang Li) #2

I have the same problem.

(Summer Lao) #3

Does not work for me too. I want to know how to solve the problem.

(Sam Saffron) #4

Are you 100% sure the user is not logged out, the code, looks absolutely correct to me:

What is far more likely here is that user is logged out, but somehow the message telling user’s client UI that it is logged out did not reach.

Can you reproduce a case where you get a 200 yet user is still logged in after they refresh current page?

How is your Discourse setup? What version?

(Shirley Yin) #5

I think in the cases where I get a 403, the UI popup message isn’t working. However, that doesn’t explain why the page content starts loading again if I refresh a few times.

I can reproduce it on my install by keeping the Discourse window open and using Postman to send the POST request, but I’m not sure how I can show you what’s happening. If it helps, here’s a screenshot from Postman:

I installed Discourse using the official setup guide (using the ./discourse-setup tool) on EC2. I’m on version v1.9.0.beta15 +90. Are there any logs of API calls I can view?

(Shirley Yin) #6

Actually, I just noticed something strange. I temporarily cleared the logout redirect option (previously, it was redirecting to our app’s sign out page) and now clicking “Log Out” on Discourse pops up the modal and auto-refreshes the page but the user is still signed in!

(Sam Saffron) #7

Well if you have SSO going you could be logging people out and then transparently logging them in.

Keep in mind message bus only polls every 2 minutes in the background so it can take up to 2 minutes for users to get the log off message.

(Shirley Yin) #8

Oh right, I forgot about that. I’ll keep testing then.

(Shirley Yin) #9

Sorry for the late reply. One part of the problem was on our end; I was calling the discourse logout api before the logout call for our app. I’m guessing the user was getting re-logged in to discourse in the background because we had SSO enabled.

I’ve fixed that and I can no longer access any content from discourse after logging out from our app. However, I never get the log out modal, and I can keep clicking buttons on the page, although I get 403 errors and nothing loads.

I’m not as concerned about this, as this only affects currently open tabs. Opening a new tab and navigating to our discourse url correctly redirects to the login page. Thanks for your help and feel free to close this topic.