Session Token Invalidation on Logout

DaanHoogland · DaanHoogland · commit 8a2f6528f1eb · 2024-10-04T10:58:12.000+02:00
diff --git a/server/src/main/java/com/cloud/api/ApiServlet.java b/server/src/main/java/com/cloud/api/ApiServlet.java
@@ -260,19 +260,22 @@ void processRequestInContext(final HttpServletRequest req, final HttpServletResp
                     }
 
                     if (apiAuthenticator.getAPIType() == APIAuthenticationType.LOGOUT_API) {
-                        if (session != null) {
-                            final Long userId = (Long) session.getAttribute("userid");
-                            final Account account = (Account) session.getAttribute("accountobj");
-                            Long accountId = null;
-                            if (account != null) {
-                                accountId = account.getId();
-                            }
-                            auditTrailSb.insert(0, "(userId=" + userId + " accountId=" + accountId + " sessionId=" + session.getId() + ")");
-                            if (userId != null) {
-                                apiServer.logoutUser(userId);
-                            }
-                            invalidateHttpSession(session, "invalidating session after logout call");
+                        if (session == null) {
+                            throw new ServerApiException(ApiErrorCode.PARAM_ERROR, "Session not found for the logout process.");
                         }
+
+                        final Long userId = (Long) session.getAttribute("userid");
+                        final Account account = (Account) session.getAttribute("accountobj");
+                        Long accountId = null;
+                        if (account != null) {
+                            accountId = account.getId();
+                        }
+                        auditTrailSb.insert(0, "(userId=" + userId + " accountId=" + accountId + " sessionId=" + session.getId() + ")");
+                        if (userId != null) {
+                            apiServer.logoutUser(userId);
+                        }
+                        invalidateHttpSession(session, "invalidating session after logout call");
+
                         final Cookie[] cookies = req.getCookies();
                         if (cookies != null) {
                             for (final Cookie cookie : cookies) {
diff --git a/ui/src/api/index.js b/ui/src/api/index.js
@@ -65,7 +65,6 @@ export function login (arg) {
 }
 
 export function logout () {
-  sourceToken.cancel()
   message.destroy()
   notification.destroy()
   return api('logout')
diff --git a/ui/src/store/modules/user.js b/ui/src/store/modules/user.js
@@ -24,6 +24,7 @@ import router from '@/router'
 import store from '@/store'
 import { oauthlogin, login, logout, api } from '@/api'
 import { i18n } from '@/locales'
+import { sourceToken } from '@/utils/request'
 
 import {
   ACCESS_TOKEN,
@@ -374,11 +375,6 @@ const user = {
           cloudianUrl = state.cloudian.url + 'logout.htm?redirect=' + encodeURIComponent(window.location.href)
         }
 
-        Object.keys(Cookies.get()).forEach(cookieName => {
-          Cookies.remove(cookieName)
-          Cookies.remove(cookieName, { path: '/client' })
-        })
-
         commit('SET_TOKEN', '')
         commit('SET_APIS', {})
         commit('SET_PROJECT', {})
@@ -406,6 +402,11 @@ const user = {
           }
         }).catch(() => {
           resolve()
+        }).finally(() => {
+          Object.keys(Cookies.get()).forEach(cookieName => {
+            Cookies.remove(cookieName)
+            Cookies.remove(cookieName, { path: '/client' })
+          })
         })
       })
     },

Original file line number	Diff line number	Diff line change
`@@ -65,7 +65,6 @@ export function login (arg) {`
`65`	`65`	`}`
`66`	`66`
`67`	`67`	`export function logout () {`
`68`		`- sourceToken.cancel()`
`69`	`68`	`message.destroy()`
`70`	`69`	`notification.destroy()`
`71`	`70`	`return api('logout')`