search

spotify / web-api

This issue tracker is no longer used. Join us in the Spotify for Developers forum for support with the Spotify Web API ➡️ https://community.spotify.com/t5/Spotify-for-Developers/bd-p/Spotify_Developer
982 stars 79 forks source link

How to clear access token #1513

Open zorro1rr opened 4 years ago

zorro1rr commented 4 years ago

Novice developer here. Is it possible to clear my user's access token? I'm trying to implement a logout feature that redirects them to https://accounts.spotify.com/authorize?client_id=${clientId}&response_type=token&scope=playlist-modify-public&redirect_uri=${redirectUri}

but my other code keeps pulling the token(honestly not sure if this is server or client side): if (accessToken) { return accessToken } //if not already set check the URL to see if it has just been obtained //window.location.href checks the current url and .match() with Regex to check for the token const accessTokenMatch = window.location.href.match(/access_token=([^&])/); //now use same object/method (different regex) to get the experation time const expiresInMatch = window.location.href.match(/expires_in=([^&])/); //now check if accessTokenMatch and expiresInMatch are in url if (accessTokenMatch && expiresInMatch) { //set the value of accessToken accessToken = accessTokenMatch[1]; //make variable for the expiration time let expiresIn = Number(expiresInMatch[1]); //Clear the parameters so we can grab a new access token when it expires window.setTimeout(() => accessToken = '', expiresIn * 1000); window.history.pushState('Access Token', null, '/'); return accessToken;

So currently to get directed to the authorization url i have to first clear my browsing data in settings or devtools. Thanks for any help/suggestions

felix-hilden commented 4 years ago

I'm not sure of your code, but I can answer a part of your question. Or at least try.

There are access tokens which expire in an hour and their refresh tokens - used to retrieve new access tokens. A user may revoke tokens to any third party applications in their Spotify account settings. In your application, if you don't need to store the login session, you can simply discard the token and generate another on login. Otherwise store the refresh token.

In my experience the redirect can be automatic if you don't provide the show dialog option (see the auth guide). But why are you redirecting the user to authenticate again when logging out?