Page MenuHomePhabricator

Implement "auth.logout" Conduit API method
ClosedPublic

Authored by epriestley on Apr 3 2016, 4:13 PM.
Tags
None
Referenced Files
F14067215: D15594.diff
Tue, Nov 19, 1:56 PM
F14053288: D15594.diff
Fri, Nov 15, 1:56 PM
F14037635: D15594.diff
Sun, Nov 10, 5:41 PM
F14022401: D15594.diff
Wed, Nov 6, 5:01 PM
F13985587: D15594.diff
Oct 20 2024, 9:32 PM
F13972125: D15594.id37614.diff
Oct 17 2024, 5:15 PM
Unknown Object (File)
Oct 11 2024, 12:02 AM
Unknown Object (File)
Oct 9 2024, 3:21 AM
Subscribers
None

Details

Summary

Ref T7303. Ref T7673. This implements an "auth.logout" which:

  • terminates all web sessions;
  • terminates the current OAuth token if called via OAuth; and
  • may always be called via OAuth.

(Since it consumes an OAuth token, even a "malicious" OAuth application can't really be that much of a jerk with this: it can't continuously log you out, since calling the method once kills the token. The application would need to ask your permission again to get a fresh token.)

The primary goal here is to let Phacility instances call this against the Phacility upstream, so that when you log out of an instance it also logs you out of your Phacility account (possibly with a checkbox or something).

This also smooths over the session token code. Before this change, your sessions would get logged out but when you reloaded we'd tell you your session was invalid.

Instead, try to clear the invalid session before telling the user there's an issue. I think that ssentially 100% of invalid sessions are a result of something in this vein (e.g., forced logout via Settings) nowadays, since the session code is generally stable and sane and has been for a long time.

Test Plan
  • Called auth.logout via console, got a reasonable logout experience.
  • Called auth.logout via OAuth.
    • Tried to make another call, verified OAuth token had been invalidated.
    • Verified web session had been invalidated.

Diff Detail

Repository
rP Phabricator
Branch
oauth3
Lint
Lint Passed
Unit
Tests Passed
Build Status
Buildable 11455
Build 14285: Run Core Tests
Build 14284: arc lint + arc unit

Event Timeline

epriestley retitled this revision from to Implement "auth.logout" Conduit API method.
epriestley updated this object.
epriestley edited the test plan for this revision. (Show Details)
epriestley added a reviewer: chad.
chad edited edge metadata.
This revision is now accepted and ready to land.Apr 3 2016, 5:32 PM
This revision was automatically updated to reflect the committed changes.