I’m working on an application that will use Okta for authentication. I used phx.gen_auth
as a starting place and then used this blog post for reference in adding OAuth using the Ueberauth library with the Okta strategy.
Then I added a few more tweaks so that unauthenticated users would be routed directly to the Okta sign-in page instead of going to the generated Log In page.
I have the LiveView protected by the :require_authenticated_user
plug in the router, and I also have an on_mount
hook that uses the Accounts.get_user_by_session_token(user_token)
method to check for an authenticated user and redirects to the login page if there isn’t a user logged in.
Everything is working great with getting the user logged in, but things get a little strange on log out when I have more than one tab open in the same browser, and both tabs are on the page with the protected LiveView.
On the tab where I click “Log out,” I’m redirected back to the home page with the flash message telling my that my log out was successful. In the database, I can see that the session token has been deleted.
In the second tab - the disconnect
event is fired, and the server disconnects the web socket as expected. Then the client-side JavaScript notices the socket has been disconnected and tries to reconnect - also as expected. This kicks off the authentication process again, and because I’m still logged into Okta - I get automatically logged back in on the second tab with a fresh token in the database.
I think everything is working as it’s meant to work, but as a user - it feels a little uncomfortable. I would prefer to be logged out of all tabs until I take some action to log back in.
Would it make sense to use a JS hook to listen for the disconnect
event and redirect to an unauthenticated page? I think that would happen on a disconnect for any reason, which isn’t quite what I want either - but maybe broadcasting a more specific event that I could listen to from a JS hook?
Or is there another approach that would be better?