How do I delete my custom cookie when user log out?

rafaucau

I am creating a LsCache extension and I need to distinguish logged in user from non-logged in user in .htaccess rule (RewriteRule .* - [E=Cache-Vary:flarum_remember,flarum_lscache_vary]). For this purpose I created a middleware, which adds a cookie when the user is logged in.
I have a problem with deleting this cookie when the user logs out.
My middleware (https://github.com/android-com-pl/flarum-lscache/blob/main/src/Middleware/LogoutMiddleware.php) starts too early and the cookie is not removed. It seems that it can't be middleware and there must be some callback that performs the cookie removal when the logout is done.

What is the best approach to remove the cookie only when the user has logged out successfully?

clarkwinkelmann

The reason this doesn't work is because Flarum doesn't actually update the $request->getAttribute('actor') value after logout, so it can't be used to know whether the logout was successful. Whether it should be is a whole question in itself since it's a request attribute, not a response attribute 😅

What you could do is check whether $response instanceof RedirectResponse. We see RedirectResponse might be returned if the user is already logged out, or after a successful logout https://github.com/flarum/core/blob/master/src/Forum/Controller/LogOutController.php . Other options would be HtmlResponse in case the CSRF token was invalid. If a 500 error occurs, an exception would be thrown and bump up the middleware tree to the error handler middleware so it's not of concern.

If you're adding the cookie back on every guest request, maybe it wouldn't hurt to delete the cookie every time on logout attempt, even if in a few situations the logout does end up failing? As long as the logout endpoint itself doesn't end up cached.

rafaucau

clarkwinkelmann Thanks! It works.

Well, now I have to find a way to handle CSRF when the page is cached. I will try to retrieve it with ESI or with JS script that will fetch the path in API that is not cached. https://docs.litespeedtech.com/lscache/lsclaravel/settings/#csrf-meta-tag-token Anyone have better ideas on how to handle CSRF with cache?

clarkwinkelmann

rafaucau it might not be easier, but you could create a dedicated login page, and then make sure that page is not cached, and make sure the page is always loaded through a page change and not inside of the single page navigation.

I actually created an extension to separate the signup page from the rest of the single page app. It's not been officially released yet though https://github.com/flamarkt/signup-page The idea was to maybe offer an option in that extension to have login and registration on a single page as well. But the main reason for its existence if because when you install Flamarkt you might get too many registration fields and the modal isn't well suited for it.

I suppose an easier solution (and it's probably what you're already describing) would be to make an API request as soon as the login or registration modal opens, that way it can retrieve a CSRF token, and then use it in the actual POST request.