search

ThexXTURBOXx / flutter_web_auth_2

Flutter plugin for authenticating a user with a web service
https://pub.dev/packages/flutter_web_auth_2
MIT License
51 stars 50 forks source link

[new-feature]: Opening a completely new session every time #122

Closed NilouMinooei closed 4 weeks ago

NilouMinooei commented 4 weeks ago

Is your feature request related to a problem? Please describe.

I'm using Flutter_web_auth_2 for login process and it comes back to app with a special scheme. when you first install the app, you redirect to page, add your credentials and then after finishing successfully you redirect to app and everything is fine. now if you log out and want to log in again it does not let you enter any credentials and logs you in automatically. this part is fixed vial preferEphemeral: true for ios but in android intentFlags: ephemeralIntentFlags does not actually close the session and only closes the open tab so the cookies are available.

final result = await FlutterWebAuth2.authenticate(
        url: url,
        callbackUrlScheme: 'app',
        options: const FlutterWebAuth2Options(preferEphemeral: true,),
);

Describe the solution you'd like

I need the session to be completely closed + getting rid of all the cookies.

Describe alternatives you've considered

or a feature like opening the web in incognito so that there would be no cookies after closing the session.

Additional context

flutter doctor -v

[✓] Flutter (Channel stable, 3.22.3, on macOS 14.6.1 23G93 darwin-arm64, locale en-DE)
    • Flutter version 3.22.3 on channel stable at /Users/nmi/fvm/versions/3.22.3
    • Upstream repository https://github.com/flutter/flutter.git
    • Framework revision b0850beeb2 (5 weeks ago), 2024-07-16 21:43:41 -0700
    • Engine revision 235db911ba
    • Dart version 3.4.4
    • DevTools version 2.34.3

[✓] Android toolchain - develop for Android devices (Android SDK version 34.0.0)
    • Android SDK at /Users/username/Library/Android/sdk
    • Platform android-34, build-tools 34.0.0
    • ANDROID_HOME = /Users/username/Library/Android/sdk
    • ANDROID_SDK_ROOT = /Users/username/Library/Android/sdk
    • Java binary at: /Applications/Android Studio.app/Contents/jbr/Contents/Home/bin/java
    • Java version OpenJDK Runtime Environment (build 17.0.10+0-17.0.10b1087.21-11609105)
    • All Android licenses accepted.

[✓] Xcode - develop for iOS and macOS (Xcode 15.4)
    • Xcode at /Applications/Xcode.app/Contents/Developer
    • Build 15F31d
    • CocoaPods version 1.15.2

[✗] Chrome - develop for the web (Cannot find Chrome executable at /Applications/Google Chrome.app/Contents/MacOS/Google Chrome)
    ! Cannot find Chrome. Try setting CHROME_EXECUTABLE to a Chrome executable.

[✓] Android Studio (version 2024.1)
    • Android Studio at /Applications/Android Studio.app/Contents
    • Flutter plugin can be installed from:
      🔨 https://plugins.jetbrains.com/plugin/9212-flutter
    • Dart plugin can be installed from:
      🔨 https://plugins.jetbrains.com/plugin/6351-dart
    • Java version OpenJDK Runtime Environment (build 17.0.10+0-17.0.10b1087.21-11609105)

[✓] VS Code (version 1.92.2)
    • VS Code at /Users/nmi/Desktop/Visual Studio Code.app/Contents
    • Flutter extension version 3.94.0

[✓] Connected device (4 available)
    • ...
[✓] Network resources
    • All expected network resources are available.

! Doctor found issues in 1 category.

version of the flutter_web_auth_2: 3.1.2

note: about a month ago it used to work with the same version and it would open a new web every time. But recently something must have changed somewhere. I have searched a lot in all the dependencies but I could not find any different. I'm just mentioning it maybe you would have an idea about it 😅

ThexXTURBOXx commented 4 weeks ago

in android intentFlags: ephemeralIntentFlags does not actually close the session and only closes the open tab so the cookies are available.

This is expected and behaving as it should since this is not how ephemeral sessions work on Android. This is also actually the reason why I made the intent flags completely customisable: ephemeralIntentFlags now simulate what an ephemeral session on Android was like before - and the rest is up for the developer to decide and configure.

I need the session to be completely closed + getting rid of all the cookies.

This is the same issue as #66 and #114. Basically, nothing this package can do about it. If you want the user to log out, invalidate the cookies on the server end. And if you don't have any access to some mechanism like that: Call authenticate again, but point it to the log out endpoint of the web application you originally authenticated against. Be sure to somehow catch going back to the app, though (which can be rather tricky).

or a feature like opening the web in incognito so that there would be no cookies after closing the session.

I am not sure if there is any API that would allow this in Android. I actually rather doubt it.

NilouMinooei commented 3 weeks ago

Thanks a lot for your complete answer and suggestions. I'll have them in mind.