How do you sign out of Scratch?

[hueychen27]

How can I sign out of Scratch with the Scratch API? I heard of this link https://scratch.mit.edu/accounts/logout/, but how do I use it?

[towerofnix]

The simplest way to sign out is just clearing / discarding your session ID cookie, but of course that would still leave the session valid, just lost to you. (If someone else managed to intercept the session ID and stole it, they would still be able to keep acting as you.)

I've never used that endpoint before, but here is how scratch-www does it, which you can model your own code off of:

// POST to /accounts/logout using a dummy form instead of XHR. This ensures
// logout only happens AFTER onbeforeunload has the chance to prevent nagivation.
jar.use('scratchcsrftoken', '/csrf_token/', (err, csrftoken) => {
    if (err) return log.error('Error while retrieving CSRF token', err);
    const form = document.createElement('form');
    form.setAttribute('method', 'POST');
    form.setAttribute('action', '/accounts/logout/');
    const csrfField = document.createElement('input');
    csrfField.setAttribute('type', 'hidden');
    csrfField.setAttribute('name', 'csrfmiddlewaretoken');
    csrfField.setAttribute('value', csrftoken);
    form.appendChild(csrfField);
    document.body.appendChild(form);
    form.submit();
});

I don't know if it's necessary to provide a valid CSRF token here (by fetching /csrf_token/ like the official code does), or if you can just provide 'a' like other code.

If we add this to the documentation (as we should!), it would be great to check if the session ID really is invalidated, i.e. if it's impossible to reuse (if you kept track of it separately from your cookies, or someone else stole it).

[hueychen27]

You do need to provide a valid CSRF token, at least in my experiences (not "a".)

[hueychen27]

By the way, I adapted the code to work for node-fetch, and it will not sign out all sessions using the account, only your session. Maybe I need to use the browser's csrftoken.

[towerofnix]

I don't think it's possible to sign out all sessions (short of resetting your password, probably). Even if you got the browser's cookies and used those, you would only be signing out on that browser and that system, not any other browsers/computers which are signed in.

[hueychen27]

If someone gets your session cookie, they can use your account without your password. Changing your password does not help. I know this because I have been hacked as I gave away the essential cookies... As a conclusion, the Scratch Team banned my account, got it back from a repeal request, and the hacker was no more.

[towerofnix]

That's interesting. I assumed resetting password might log all sessions out, since the page reads "After changing your password, you will be prompted to log back in." — but it looks like that's mistaken, or only affects the current session.

[hueychen27]

When it says "you," it really means only you...