Built-in endpoint /logout returns successful 200 OK status even when no tokens (access and/or refresh) have been revoked. That can happen when no tokens have been passed as part of a request as they're not required.
This behavior opens the door for mistakes in a client application that can easily go unnoticed because the "logout" appears to succeed.
The expected behavior would be to require passing access token. The call should succeed upon invalidation of a known token only.
Refresh token being optional allows to mistakenly omit it in the request as well. That can easily happen due to the domain/path scope of cookies. In this case the "logout" will be misinterpreted as successful even though the refresh token remains valid.
Built-in endpoint
/logoutreturns successful 200 OK status even when no tokens (access and/or refresh) have been revoked. That can happen when no tokens have been passed as part of a request as they're not required.This behavior opens the door for mistakes in a client application that can easily go unnoticed because the "logout" appears to succeed.
The expected behavior would be to require passing access token. The call should succeed upon invalidation of a known token only.
Refresh token being optional allows to mistakenly omit it in the request as well. That can easily happen due to the domain/path scope of cookies. In this case the "logout" will be misinterpreted as successful even though the refresh token remains valid.