Hi,
I have Node-Red up and running. I secured the nodered using node red token
by gettiing token using
/auth/token
api path by passing the fetched access Token in the below way using react
/?access_token=your_access_token
which is working fine
but when I'm trying to revoke this token using
/auth/revoke
by passing token in header and even in body
It's not revoking the token I'm still able to work or use the same token further
Can you be more specific please? Which header? What format in the body? Please list out the examples you tried. If you could provide these examples as curl or flow that would be a bonus.
So, I'm passing the token in place of the A_secret_token but when I'm trying to login back again using that token I'm able getting to the homescreen of nodered where it is expected that it should throw me back to the login screen
Regarding the auth/revoke API, the data part where you provide the token is for the user to logout...
e.g. --data 'token=SECRET_TOKEN_OF_USER_TO_LOG_OUT'
Secondly, as the SECRET_TOKEN_OF_USER_TO_LOG_OUT may have a + character, you should use --data-urlencode otherwise they get converted to spaces (need to check if this has changed in node-red/node-js/express since docs were written)
e.g. --data-urlencode 'token=SECRET_TOKEN_OF_USER_TO_LOG_OUT'
Lastly, sending an auth/revoke request will not instruct the browser to redirect since the request goes to the server-side/node-red & the browser is in client-side/user-land. HOWEVER, if you are successful in revoking the token, operations within node-red will not be possible (e.g. clicking an inject will show Error: unexpected error (401) error refreshing the page would take the user to the login screen
PS: There may be multiple tokens from multiple browsers for the same user. Just because you revoke 1 "admin" account login, does not mean all browsers logged in as "admin" are suddenly revoked.
I agree and I am checking this flow only.
So, what is happening in my case is suppose I received x token from auth/token I opened the nodered with that token by passing it in url in this way /?access_token=x
in a separate tab. Now, I'm revoking that x token using auth/revoke and in response I'm getting 200 i.e successfully revoked. But after revoking when I'm moving to the node-red tab which was opened with x token and no other node-red project is running still I'm able to do all the operations and even after refreshing the page is not taking the me to the login screen.
Is there any other api that I need to call to revoke that token or I'm doing anything wrong ?