ReplAuth - Log out?

BrynParry · August 4, 2023, 2:40am

**I am working through 100 days of code, but this question doesn’t relate directly to it (though it is one of the projects on there). Let me know if I should post it there instead.

We just made a small “blog” and used sessions to log in, and used session.clear() to log out. In the next day we change it so we use ReplAuth to log in. Logging in works fine, but I can’t figure out how to log out again.
I have tried all sorts of things like set_cookie("REPL_AUTH", max_age = 0), but they aren’t affecting the cookie at all.

  repl_auth_cookie = request.cookies.get('REPL_AUTH')
  print (repl_auth_cookie)

returns None

I think it has been asked before but I haven’t found any solutions - anyone got any suggestions?:**

Repl link: https://replit.com/@BrynParry/Day87100Days#main.py

@app.route('/logout')
def logout():
  session.clear()
 # random print to see the function is being called
  print("logging out")
  res = make_response("logged out")
  res.set_cookie('REPL_AUTH', value= "blah", max_age= 0, expires=0)
  res.delete_cookie('REPL_AUTH')
  return redirect("/")

QwertyQwerty88 · August 4, 2023, 2:48am

Does it tell you to have a log out page in the challenge? You might not need to (I don’t know why it’s not working)

BrynParry · August 4, 2023, 2:51am

It doesn’t, and I don’t need to, I just wanted to try to add it in anyway. I guess I should just move on.

QwertyQwerty88 · August 4, 2023, 2:52am

Well instead of making a log out page I usually just redirect to the login page, because you’d usually want to log out just to switch accounts.

boston2029 · August 4, 2023, 3:12am

Well part of that very bottom code snippet looks like flask and the other Express.js, so it wouldn’t work but you could look at flask docs for deleting cookies

I think you have a good idea of how you would do it. You clear REPL_AUTH

BrynParry · August 4, 2023, 3:17am

I think it’s all flask, I used the methods from here:
https://flask.palletsprojects.com/en/2.3.x/api/#flask.Response.set_cookie

set_cookie isn’t changing the cookie at all, and delete_cookie doesn’t seem to do anything.

boston2029 · August 4, 2023, 3:53am

Make sure to set httponly to true. Pretty sure the REPL_AUTH cookie is HTTP only and not in JavaScript.

Example could look like:

res.delete_cookie("REPL_AUTH", None, None, True, True)

BrynParry · August 4, 2023, 4:03am

Ah, that didn’t fix it, but might be heading towards a solution. To set the cookie I used this:

<script src="https://replit.com/public/js/repl-auth-v2.js"></script></a>
    <button onclick="LoginWithReplit()"> Login </button>

Is it possible it was set with JavaScript and can’t be edited with python? I’ve not used JavaScript before so have no idea.

boston2029 · August 4, 2023, 4:06am

Well I think ReplAuth uses HTTP only cookies (which is why you can’t log out by simply calling document.cookie='' in the JavaScript.

So I thought adding the httponly would fix it, but guess not…

python660 · August 4, 2023, 6:25am

well, it seems that the repl proxy/firewall/router/NAT is filtering out the REPL_AUTH cookie, because the cookie field is empty for me despite being logged in.