Logout does not clear localStorage (AngularJS) when backend logout fails

[thovden]

This happens e.g., when the client presents an invalid authorization token to the REST API, which will respond 500, and the interceptor that clears localStorage will not run.

To reproduce (using angularJS-generated model bindings)

1. Log in using the AngularJS SDK-generated support code
2. Edit the authorization token in the client browser - e.g., localStorage.$LoopBack$accessTokenId = "foo"
3. Try to Log out in the client. The server will now respond 500 "invalid token" (or similar)

The interceptor code will not run, leaving the invalid token in localStorage, meaning we're stuck. User.isAuthenticated() will respond true, but calls will not be authorized. We need the interceptor to run even if the server presents a 500 invalid token. For the AngularJS SDK code:

        "logout": {
          interceptor: {
            response: function(response) {
              LoopBackAuth.clearUser();
              LoopBackAuth.clearStorage();
              return response.resource;
            }
          },

[superkhau]

Can you provide a repo with steps-to-reproduce? See https://github.com/strongloop/loopback/wiki/Reporting-issues#bug-report

[loay]

Hi @thovden
There were couple of fixes in that issue: #1669
Any luck with those?
Thanks.

[thovden]

Thanks for the update - haven't tried those fixes - will do.

On Thu, Feb 11, 2016 at 8:02 PM, Loay notifications@github.com wrote:

Hi @thovden https://github.com/thovden
There were couple of fixes in that issue: #1669
#1669
Any luck with those?
Thanks.

—
Reply to this email directly or view it on GitHub
#1081 (comment)
.

[bradwbradw]

My workaround is to use the $promise.catch block to manually remove the local storage item if a token has expired. Ideally Loopback could handle this, though, because then I could test properly. The test environment won't be able to access window functions. (User in this code is the Loopback User model)

      logoutTheUser: function () {
        return User.logout().$promise
          .then(function(){
                $state.go('base', {}, {reload: true});
          })
          .catch(function(){
                $log.error('token expired, cannot call logout because of loopback bug');
                window.localStorage.removeItem('$LoopBack$accessTokenId');
                window.localStorage.removeItem('$LoopBack$currentUserId');
                $state.go('base', {}, {reload: true});
            });
      },

[mrbatista]

See this PR that solve the problem.

[richardpringle]

Looks like this has been solved: closing. If the issue persists, please re-open this issue and mention me in a comment so I can take a look right away.

@mrbatista, thanks for your contribution!