Ticket: User Management :: Logout gets a 401 because auth_token is not presented in API request

All my unit tests and e2e tests for the User Management ticket are passing. However, I have noticed that when I attempt to logout, the session is not deleted because the API request is missing the Authorization header with the Bearer token (auth_token). I have verified that the auth_token is returned in the login, and that the database content is correct.

The problem is also seen in /api/v1/user/update-preferences (although I haven’t gotten to that ticket yet).

The 401 is being generated by Flask because it fails the @jwt_required.

I have verified (by a Javascript breakpoint) that the auth_token is known to the front-end application, and I can see the Authorization header being passed into the fetch Javascript function in request.js

But when this happens, the Authorization header is removed.

As you can see it is getting as far as the Python webserver, but there is no Authorization header present, even though it is in theory being passsed in the fetch function. So I’m fairly confident in saying the problem is not with the backend, but either in the frontend or some security functionality with latest browsers.

In case it helps in isolating the problem, my application is running on http://127.0.0.1:5001 (port 5000 was conflicting with a service called AirTunes and getting a 403 – you can see “AirTunes” mentioned in the Server reponse header). I have noticed that in README.rst it mentions that if using a port that is not 5000, then to change window.host in index.html… but I can find no such mention and I believe it is not required (because the rest of the application works fine, including reaching the API). I should also mention that I’m running the app within a container.

This happens with both latest Chrome and Safari, and Firefox

I’ve tried both http://127.0.0.1:5001/ as well as https://localhost:5001/

To the best of my knowledge, this is a symptom of CORS… but its the same origin, and none of my browsers are complaining about a CORS violation.

Cheers,
Cameron

UPDATE. I believe this is a Javascript code issue, but don’t know exactly why… possibly the way the headers and options are being combined? Or maybe that it doesn’t have a body? Either way, after attempting to do a logout (and failing; with the session entry in MongoDB still present), the following code works when pasted into the Javascript console in the developer tools (I’m not a JS developer, so this is me learning).

After this, the MongoDB entry in the sessions table is removed as expected.

Cheers,
Cameron

I have also noticed that when this occurs for other functionality (eg. comments), while the UI in general shows this problem, the integration tests in the Status panel work correctly.