Why app.logout() not calls the remove method of the /authentication service on the Feathers server?

Question

I use following code in client:

import frAppLib from '@feathersjs/feathers'
import frRestLib from '@feathersjs/rest-client'
import auth from '@feathersjs/authentication-client'
import { CookieStorage } from 'cookie-storage'
const cookieStorage = new CookieStorage()

const authOptions = {
  header: 'Authorization', // the default authorization header for REST
  prefix: '', // if set will add a prefix to the header value. for example if prefix was 'JWT' then the header would be 'Authorization: JWT eyJ0eXAiOiJKV1QiLCJhbGciOi...'
  path: '/authentication', // the server-side authentication service path
  jwtStrategy: 'jwt', // the name of the JWT authentication strategy 
  entity: 'user', // the entity you are authenticating (ie. a users)
  service: 'users', // the service to look up the entity
  cookie: 'feathers-jwt', // the name of the cookie to parse the JWT from when cookies are enabled server side
  storageKey: 'feathers-jwt', // the key to store the accessToken in localstorage or AsyncStorage on React Native
  storage: cookieStorage // Passing a WebStorage-compatible object to enable automatic storage on the client.
}

const feathers = frAppLib()

const apiUrl = process.env.NODE_ENV == 'production'
      ? 'http://localhost:3030' //TODO
      : 'http://localhost:3030'

const frRest = frRestLib(apiUrl)

feathers.configure(frRest.fetch(window.fetch))
feathers.configure(auth(authOptions))


export default feathers

And my logout code is:

import feathers from '@/feathers.js'
async logoutClick() {
  await feathers.logout()
  this.$router.replace('/login')
}

My problem is in following:

• I make login in my app
• open my app in another tab of browser
• return to first tab with my app and click logout

after this in first tab logout is OK, but browser not send delete to authorisation service to server. I don't see it in Browser network activity

So, my app in second tab of browser is still logged in.

How make logout for all tabs of browser, where is my app is opened?

Answer 1

If you are using JWT authentication method, then, by default, the server doesn't hold a list of authenticated users. The server in every request deserialize the token and loads the user object.

If you want to implement a logout mechanism, then you have to create a blacklist, holding the logged out users. Here is a good detailed explanation of the subject.

I think that Feathers.js don't have implemented a blacklisting mechanism. Actually, in the official documentation says that the remove method of the app.service('authentication') service is used to implement a custom blacklist.

In that case, you should hold a singleton blacklist of users, and after remove method, insert into that list. When a user login .create() you should try to remove the user from that blacklist. The last thing would be to prevent a user in the blacklist can access any service, except login action, maybe.

All that process will provoke that when a user logout in a browser tab, that user will be on the blacklist. Then, the other tab when tries to access another service with his own token, that user won't be capable of access any service because he is already on the blacklist.