[Bug]: Logout does not clear session token when using auth headers to login

[deathblade666]

Verified issue does not already exist?

• I have searched and found no existing issue
• I will be providing steps how to reproduce the bug (in most cases this will also mean uploading a demo budget file)

What happened?

Setup HTTP Auth header login, pressed logout to end the session, it immediately logs back in as the session token doesnt cleared

Where are you hosting Actual?

Docker

What browsers are you seeing the problem on?

Firefox, Chrome

Operating System

Linux

[twk3]

@deathblade666 which session token are you referring to? The user-token in the browser is removed, but if you are using a third party auth provider, we aren't clearing their session tokens. Which might result in an automatic re-login.

[deathblade666]

@deathblade666 which session token are you referring to? The user-token in the browser is removed, but if you are using a third party auth provider, we aren't clearing their session tokens. Which might result in an automatic re-login.

That makes sense, yeah that's probably it honestly unsure how to tell which is which just noticed the token is still there and it autologins back in as soon as I try to logout. Based on your in-out its probably the thrid party token (I use authentik) that's not clearing.

[safehome-jdev]

@deathblade666 which session token are you referring to? The user-token in the browser is removed, but if you are using a third party auth provider, we aren't clearing their session tokens. Which might result in an automatic re-login.

That makes sense, yeah that's probably it honestly unsure how to tell which is which just noticed the token is still there and it autologins back in as soon as I try to logout. Based on your in-out its probably the thrid party token (I use authentik) that's not clearing.

Yeah, it looks might be an issue with authentik's sign out methods