Search code examples
authenticationservicestackservicestack-auth

Can't logout user with basic authentication in ServiceStack


I'm currently trying to implement ServiceStack's authentication plugin but I'm having trouble in logging out a user after they have logged in. I've seen from this thread:

How to logout authenticated user in ServiceStack?

that you should be able to make the request auth/logout. However I'm still logged in at this point. I also tried to login as an invalid user /auth?username=&password= but to no avail.

The strange thing is these methods have worked from me on very rare occasions but I haven't found the reason why. Any help would be appreciated.

UPDATE:

I just tried out the above requests in Fiddler and noticed I'm getting back a 401. I suppose that should be expected when trying to login as an invalid user but why is it the case for the logout request?


Solution

  • It looks like this is the same case of username/password validation being triggered on logout. you can overcome this issue by rolling out you own CustomAuthProvider if you're not already doing so. In the validation section you should exclude the logout as a provider.

    public class CustomAuthProvider : CredentialsAuthProvider
    {
        private class CredentialsAuthValidator : AbstractValidator<Authenticate>
        {
            public CredentialsAuthValidator()
            {
                RuleFor(x => x.UserName)
                        .NotEmpty().WithMessage("Username Required")
                        .When(d => d.provider != "logout");
    
                RuleFor(x => x.Password)
                        .NotEmpty().WithMessage("Password Required")
                        .When(d => d.provider != "logout");
            }
        }
    
        public override object Authenticate(IServiceBase authService, IAuthSession session, Authenticate request)
        {
            new CredentialsAuthValidator().ValidateAndThrow(request);
            return Authenticate(authService, session, request.UserName, request.Password, request.Continue);
        }
    }
    

    You will also need to register the CustomAuthProvider

    Plugins.Add(new AuthFeature(() => new CustomUserSession(),
        new IAuthProvider[] {
           new CustomAuthProvider()
        }) { HtmlRedirect = null });
    

    Note: you are missing the provider in /auth/{provider}?username=&password=