Skip to content

add delete token request to logout #1538

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
bcotrim merged 2 commits into from
Jul 9, 2025
Merged

add delete token request to logout #1538

bcotrim merged 2 commits into from
Jul 9, 2025

Conversation

@bcotrim
Copy link
Contributor

@bcotrim bcotrim commented Jul 7, 2025

Related issues

Proposed Changes

  • Add revoke token call during logout

Testing Instructions

  • check 187112-ghe-Automattic/wpcom
  • Run Studio and log in to WordPress.com
  • Cut your internet connection
  • Confirm logout button is disabled
  • Restore your internet connection
  • Confirm logout button is enabled
  • Logout and confirm the request was made to revoke the token
  • Using the token from Studio, try to make a request to WordPress.com API (you can just copy/paste the auth info from appdata from before you logged out)

Pre-merge Checklist

  • Have you checked for TypeScript, React or other console errors?

@bcotrim bcotrim requested a review from a team July 7, 2025 17:04
@bcotrim bcotrim self-assigned this Jul 7, 2025
sejas
sejas approved these changes Jul 9, 2025
View reviewed changes
Copy link
Member

@sejas sejas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I sandboxed the API and tried logging out. I confirm the token is revoked and it works as expected:

wpcom-logout-deauth-token.mp4

src/components/auth-provider.tsx Outdated
Comment on lines 76 to 90
const response = await fetch(
'https://public-api.wordpress.com/wpcom/v2/studio-app/token',
{
method: 'DELETE',
headers: {
Authorization: `Bearer ${ token.accessToken }`,
'Content-Type': 'application/json',
},
signal: AbortSignal.timeout( 5000 ),
}
);

if ( ! response.ok ) {
console.error( 'Failed to revoke token:', response.status, response.statusText );
}
Copy link
Member

@sejas sejas Jul 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ha! it seems the wpcom req.delete sends the POST method instead. In theory if you pass the method as param it should override it, but I couldn't make it work. See the code.

An alternative if we want to avoid passing the bearer token is using client.request instead which I tried it and it works. Something like:

					client?.request(
						{
							apiNamespace: 'wpcom/v2',
							method: 'DELETE',
							path: '/studio-app/token',
						},
						( err, response ) => {
							if ( err ) {
								console.error( 'Failed to revoke token:', err );
							}
							console.log( 'Token revoked:', response );
						}
					);

Copy link
Contributor Author

@bcotrim bcotrim Jul 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I also couldn't overwrite the method.
But using client.request is a great approach, thanks @sejas

@bcotrim bcotrim merged commit 5591cb7 into trunk Jul 9, 2025
12 checks passed
@bcotrim bcotrim deleted the stu-488-revoke-the-oauth-token-when-user-logs-out branch July 9, 2025 13:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sejas sejas sejas approved these changes

Assignees

@bcotrim bcotrim

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@bcotrim @sejas