Open rye opened 6 years ago
I can probably figure out a way to delete the cookie when the user submits their ballot. Maybe it would be good to also invalidate it server side. Also, users cannot vote twice, so if for some reason a user is not logged out of google, no one else would be able to vote for them anyway.
The revokation URI is https://accounts.google.com/o/oauth2/revoke?token={token}
Will there be a conflict if both the server side and client side do this?
Hmm. Google might whine if a token that has already been revoked is revoked again. May be best to just revoke the tokens server-side before cleaning up on the client.
We need to come up with some way to prevent users from seeing other users' accounts when they log in. Or, rather, some way of invalidating tokens. (This can be done server-side.)