Transcript
-
While we have our user authenticated, let's go ahead and set up our application so that whenever we click our user's name, they get logged out. So let's hide our browser away. The first thing that we'll want to do is hold Command-P and dive into
-
our routes file and let's define a route for this within our authentication group. We'll do router. and we'll do post here so that we get
-
our CSRF protection for this slash call that path log out. Now let's go ahead and create a controller for this. So let's dive into our terminal, stop our server, clear that out,
-
node.ace.makeController.auth/logout. For this one, we'll just want to handle method specifically to handle the request.
-
Then we'll do hyphen s to keep that singular. Enter on that to create it and let's boot our server back up. NPM run dev there. Okay, let's hide that back away. Now let's make use of our logout controller
-
there and call our handle method. Let's also give this a name of as and this will just be logout. Then we could use our middleware and apply
-
the auth middleware to require the user to be authenticated in order to hit this route successfully. Let's dive into our logout controller. From our HTTP context, we're going to want our response so that we can redirect
-
the user as well as auth so that we can log them out. To log them out, all that we need to do is await auth.useTheWebGuard.logout.
-
Once this is called, the user's authenticated session will be destroyed and they'll no longer be authenticated. So we can now return, response, redirect, and just redirect them
-
back to the previous page that they were on. If that previous page happens to be auth required, so if we have that auth middleware bound to it, that auth middleware will redirect them away back to the login page.
-
So we're a-okay with just applying back here. Lastly, let's dive back into our resources, navigation file, and let's apply a form for this auth full name here.
-
So we'll do form method equals host. Our action is going to be our route, auth.logout. Let's end our form, apply that CSRF field,
-
and then let's do a button of type submit so that our form submits whenever we click this button and the text can just be our full name and we can also add maybe log out there as well.
-
Let's also give this a class text extra small just so all of that text fits a little bit better right there. Give that a save. Now, if we jump back into our browser, we should see logout auth user one
-
and it has a nice little hand over it to signal that it is clickable and whenever we click it, we are logged out and we no longer see the authenticated user's name here
-
because there is no longer an authenticated user and that rings true if we go into our writer's home or director's page as well.
Logging Out An Authenticated User
In This Lesson
We'll learn how to logout an authenticated user using a POST request with CSRF protection.
- Created by
- @tomgobich
- Published
Join the Discussion 2 comments
-
I use access tokens, and when I do either
await auth.use('api').logout()I get an errorauth.use(...).logout is not a function.
I can neither get the token explicitly usingauth.use('api').token(I get undefined).
The only way I can get it is from the request header, but I find it hard to believe that there is no way to extract it from the auth. Anyway, since the hashed token is stored, I don't even know whether the approach of searching for it in the DB will work.1-
Responding to guy-aloni
Hi Guy! The auth process shown in this series is for session authentication. The access token auth does not contain a
logoutmethod, but rather works via theaccessTokensproperty added onto the User model.There are a few key differences between session and access token auth, you can check out our Access Token Authentication in 20 Minutes lesson to see a walk-through of auth for access tokens.
1
-
