Is logout with OAuth and accounts-google working as expected?

Login works fine, but the behavior of logout is a little surprising to me.

I’m using the default logout template and Meteor 1.2.1. After pushing Log Out, the Meteor user is successfully logged out, but the oauth credentials are kept. So if another user comes along and pushes the Log In button, they’re happily logged into the Meteor app with the previous user’s credentials.

Can anybody help me understand why accounts-google works this way? Any advice on how to best to remove the credentials would also be very helpful.

(You can see an example of another app that behaves this way, Siwure, from the sample apps page at http://www.meteorapps.co/).

*edit: I can see why this is the default behavior for web/browser. Should it also be the default behavior for Cordova apps?

Nevermind Siwure, the logout button up there at the top right looks like it works the same way.

I have the exact same fustration, so wherever I use

Meteor.logout();

I also add

window.location.replace('https://accounts.google.com/Logout');

(actually, wrap that in its own function)

An alternative would be to use the callback

Meteor.logout(function(){
  window.location.replace('https://accounts.google.com/Logout');
})

You can easily “patch it” how shown by @serkandurusoy - but that would expect that user refreshed site before logging in - otherwise any1 could temper with client code and do anything on user’s behalf.
Or you can reject whole token server side so google will poop on you if u try to use it again.

1 Like

That’s a good point, @shock. Setting window.location to the google accounts /Logout does what you want in the browser … except now I understand that in the browser I don’t actually want to log the user out of their google account. And in Cordova, it doesn’t appear to work until you kill and reload the app. The cookies for the google account are still there, so the next time I tap Log In, in I go!

I also don’t want to destroy the token serverside. I tried it, and if I deleted enough data to make auth fail (the user id, specifically) it made meteor recreate the account.

I don’t really want to revoke the oauth authorization, either.

What I really want to do is clear the google accounts cookies on the Cordova client … which requires adding a native plugin. Because the packages I’m finding in atmosphere don’t work with cookies on Cordova, I’ve decided to use cordova-cookie-master and just nuke all the cookies via clear():

Meteor.logout(function() {
    if (Meteor.isCordova) {
        cookieMaster.clear();
    }
});

I still wonder if the default behavior is the best option on Cordova, but this fixes the problem for me.

I still think you dont want to clear everything.
More like force login prompt

This is part of my code

Meteor.signInWithGoogle {
        requestPermissions: ['profile', 'https://www.googleapis.com/auth/youtube.readonly']
        requestOfflineToken: true
        forceApprovalPrompt: false
      }

So I believe that if u fiddle with these promp, force_prompt google options etc, you can force login screen for given prompt.
I have some buttons where I ask for higher level of permissions and these always ask for which account …