Question: pb.authStore.clear(); clears the auth store (token = '' and isValid = false), so why are api requests still successful?

[agreensh]

iOS and Android, pocketbase: ^0.6.0

I logout with 'pb.authStore.clear();', but subsequent api requests still complete successfully. I would expect them to fail. Now I have to check each api request with 'if (auth.isValid)'. Doesn't seem quite right. Wouldn't the api request(s) see the auth token is now '' and immediately fail (or at least update the headers it sends with the invalid token)?

[ganigeorgiev]

Technically, since PocketBase API is completely stateless, there is no actual "logout" action.

pb.authStore.clear() just resets the AuthStore data.

Wouldn't the api request(s) see the auth token is now '' and immediately fail (or at least update the headers it sends with the invalid token)?

If pb.authStore.clear() is called then any following requests should be send without Authorization header. If you are not observing this behavior, then it could be a bug but from my local tests with using the dart cli I'm not able to reproduce it and it works as expected for me.

Please note that a request can succeed even without the Authorization header if your collection(s) API rules allow guest access.

[agreensh]

Thanks, that's made it clearer.