feat / logout

[sandrockjustin]

• [x] feat / logout - a logout button should exist
• [x] feat / logout - when logout button is clicked, session is ended with Express
• [x] feat / logout - when user is logged out, should redirect to login page
• [ ] fix / logout - when user is redirected to login page, they should not be automatically logged back in with Google OAuth but should instead have to manually confirm their desire to login again

[sandrockjustin]

Unsure about how to proceed on this, but here's a description of what is working and what is not.

When a user clicks the Logout button we are doing two things: we are using the Passport req.logout() function and we are also using the Express req.session.destroy() function. Parts of this might be redundant but we will understand as we continue to explore it.

Issue: After logging out, the page redirects to /auth/google. However, it appears that Passport is preserving this data (possibly in a cookie) and upon redirect it is automatically forcing a user to log in again. This is not how we want our application to function; the user should be prompted to sign-in with Passport again rather than it automatically signing in a user.

Suggested Solution: Experiment with destroying/otherwise deleting the cookie? It's weird, the express-session model is storing this data as a cookie but it seems as though there is another cookie stored in the end-user's browser.

[sandrockjustin]

Patchwork solution reached, but it is only a pseudo-fix. We resolved this by forcing a prompt to sign-in on any redirect to /auth/google. However, there is an issue of session persistence.

• Our /logout route is deleting the session, user, and cookie successfully.
• However, Passport appears to be persisting the session regardless.

Suggested Solution: Create a Sessions Schema in our database, which Passport might be changed somehow to interact with? That way Passport isn't storing and persisting sessions that we don't want; instead sessions would be stored in our database with the Sessions model.

Relevant Documentation:

• https://www.passportjs.org/concepts/authentication/sessions/
• https://expressjs.com/en/resources/middleware/session.html
• https://stackoverflow.com/questions/35359295/how-does-passport-js-stores-user-object-in-session

[sandrockjustin]

Follow-up issue; on redirects to /auth/google we are receiving a CORS error. The login can only seem to be accessed if we manually enter it as a web address? It seems quite unusual; my theory is that technically our endpoint /auth/google is crossing origins to the Google API.

Internally, our server seems to refuse client requests to access that other origin.

If we force it in the client, however, by circumventing the server request we can just access that endpoint?