Closed drev74 closed 1 year ago
@vinckr Hi could you pls take a look :eyes:
I am also having issues revoking if I have multiple sessions.
For example, I create two sessions by logging in twice, then I try to revoke the second session. It does not properly revoke. It actually revokes the wrong session (session 1) instead of (session 2).
@vinckr any ideas if this is related to the bug above?
Code to reproduce:
it("revoke a user's second session only", async () => {
// Session 1
const session1 = await authService.login(user) // kratosPublic.updateLoginFlow
const session1Token = session1.sessionToken
// Session 2
const session2 = await authService.login(user) // kratosPublic.updateLoginFlow
const session2Token = session2.sessionToken
// Session Details
// * caveat, you need to have at least 2 active sessions for 'listMySessions' to work properly
// if you only have 1 active session the data will come back null
const session1Details = await kratosPublic.listMySessions({
xSessionToken: session1Token,
})
const session1Id = session1Details.data[0].id
const session2Details = await kratosPublic.listMySessions({
xSessionToken: session2Token,
})
const session2Id = session2Details.data[0].id
// Revoke Session 2
await kratosPublic.disableMySession({
id: session2Id,
xSessionToken: session2Token,
})
// Check that session 2 was revoked
const activeSessions = await kratosAdmin.listIdentitySessions({
id: session2.kratosUserId,
active: true,
})
const isSession1Revoked = activeSessions.data.find((s) => s.id === session1Id)
const isSession2Revoked = activeSessions.data.find((s) => s.id === session2Id)
expect(isSession1Revoked).toBeDefined() // session1Id should be in the list
expect(isSession2Revoked).toBeUndefined() // session2Id should NOT be in the list
// * validateKratosToken has a weird bug with multiple sessions
// it throws an error on session1 and thinks session2 is valid
// this is the opposite of what should happen
const isSession1Valid = await kratosPublic.toSession({ xSessionToken: session1Token })
const isSession2Valid = await kratosPublic.toSession({ xSessionToken: session2Token })
expect(isSession1Valid).toBeDefined() // * BUG? this should be valid (but its not)
expect(isSession2Valid).toBeInstanceOf(KratosError) // * BUG? this should be invalid (but its valid, and its the wrong sessionId, it returns session1's Id)
})
Versions:
@ory/client": "^1.1.0
oryd/kratos:v0.10.1
Please try this with kratos 1.0 and reopen if this is still an issue - we struggle with reproducing it. thanks!
Preflight checklist
Describe the bug
After clicking a
logout
button in Vue3 TS client, my browser session is still active. This breaks an auth logic, because my client is still signed in after being signed out.Reproducing the bug
Relevant log output
Relevant configuration
Version
0.11.0
On which operating system are you observing this issue?
Linux
In which environment are you deploying?
Docker Compose
Additional Context
POSTGRES_VER=15.1-alpine
KRATOS_VER=v0.11.0 KRATOS_UI_VER=v0.11.0-alpha.0.pre.2 OATHKEEPER_VER=v0.40.0 KETO_VER=v0.10.0