You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Have a service that does not have authenticate('jwt') on it.
Have authorize({ adapter: 'feathers-mongodb' })
Login with a user(I do it from Angular) that has a role and gets Ability
Logout
Expected behavior
I would expect that after logout I would not be able to use the service, because I wouldn't have Ability to.
Actual behavior
After logout I am definitely kicked out of the channels because I don't get any more updates on the service.
But funny enough when I try to use the service according to the Ability I had as a logged user, I can do it.
After digging around a bit I see ability is not erased from context.params on logout. A page refresh clears this.
Is this a bug, or something not know, not documented? Should I handle this on the authenticate hook myself?
ps. I assume if you only have systems where the same user uses is over and over you don't get into this issue.
The text was updated successfully, but these errors were encountered:
Steps to reproduce
authenticate('jwt')
on it.authorize({ adapter: 'feathers-mongodb' })
Expected behavior
I would expect that after logout I would not be able to use the service, because I wouldn't have Ability to.
Actual behavior
After logout I am definitely kicked out of the channels because I don't get any more updates on the service.
But funny enough when I try to use the service according to the Ability I had as a logged user, I can do it.
After digging around a bit I see
ability
is not erased fromcontext.params
on logout. A page refresh clears this.Is this a bug, or something not know, not documented? Should I handle this on the authenticate hook myself?
ps. I assume if you only have systems where the same user uses is over and over you don't get into this issue.
The text was updated successfully, but these errors were encountered: