All my unit tests and e2e tests for the User Management ticket are passing. However, I have noticed that when I attempt to logout, the session is not deleted because the API request is missing the Authorization header with the Bearer token (auth_token). I have verified that the auth_token is returned in the login, and that the database content is correct.
The problem is also seen in /api/v1/user/update-preferences (although I haven’t gotten to that ticket yet).
The 401 is being generated by Flask because it fails the @jwt_required.
But when this happens, the Authorization header is removed.
As you can see it is getting as far as the Python webserver, but there is no Authorization header present, even though it is in theory being passsed in the fetch function. So I’m fairly confident in saying the problem is not with the backend, but either in the frontend or some security functionality with latest browsers.
In case it helps in isolating the problem, my application is running on http://127.0.0.1:5001 (port 5000 was conflicting with a service called AirTunes and getting a 403 – you can see “AirTunes” mentioned in the Server reponse header). I have noticed that in README.rst it mentions that if using a port that is not 5000, then to change window.host in index.html… but I can find no such mention and I believe it is not required (because the rest of the application works fine, including reaching the API). I should also mention that I’m running the app within a container.
This happens with both latest Chrome and Safari, and Firefox
To the best of my knowledge, this is a symptom of CORS… but its the same origin, and none of my browsers are complaining about a CORS violation.