Hi, I’ve an API and I’m using guardian to authenticate users, I can login correctly, but when I try logout nothing is happening.
I’m using this function of Guardian Guardian.revoke/2 I’m passing the connection and the token, (inclusive in some test I’ve hard coded the correct token). This not trow any error, but when I try go to other protected route with the same token, I can access to this route. How I could revoke this token?
# revoke a token (use GuardianDb or something similar if you need revoke to actually track a token)
{:ok, claims} = MyApp.Guardian.revoke(token)
The above comes from the official docs.
@bian2510 This is more effective if you’re using the GuardianDB from the server side. If you’re not using GuardianDB, you probably need to clear the token from the cookie or cache for it to work.
In a typical web application you do not revoke a token but rather delete the token from the client storage, therefore log the user out.
If you really want to revoke a token, like in the case that you don’t control the client, you will have to keep the revoked token in a persistent storage and check to make sure the token you encounter is not one of the revoked. I haven’t done that myself; Guardian will not do that for you, just provide some hooks so you can implement it yourself.
Great, thanks for the excellent explanation.
Perfect, I’m not using guardianDB, but I can see now, I was confused thinking that the token should be revoked but I need only clear the cache or cookie from the front app.
Thanks
© Copyright Elixir Forum | Terms | Privacy & Cookies
