Unable to logout from the default users auth endpoint

[notchris]

Bug Report

Hello and thank you for making payload awesome. I am having a weird issue where I get a 403 response when trying to log out a user who has logged in via the API. I've checked the following:

• Users has auth enabled (although a separate Admins collection can only access the dashboard)
• I've added the URL of the public site making the request to the cors / csrf array in the payload config.
• A user sends a login request to the API which returns the expected JSON response on success.
• The /me endpoint is called to verify the user exists on following requests (with credentials included).

Then, I send a POST request to the /users/logout endpoint and get this response back:

{
body: (...)
bodyUsed: false
headers: Headers {}
ok: false
redirected: false
status: 403
statusText: "Forbidden"
type: "cors"
url: "http://localhost:3000/api/users/logout"
}

Expected Behavior

Upon hitting the logout endpoint, there should be a valid response. I'm assuming my configuration is causing this issue, but I've tried to follow the documentation closely.

Current Behavior

Possible Solution

Steps to Reproduce

Detailed Description

[jmikrut]

Hey @notchris — I'm going to move this to a Discussion instead of an issue, as I think this has to do with your implementation.

Question - are you using Postman or something to test this?

All the logout operation does is simply removes the HTTP-only cookie that is set. But, looking at the code:

https://github.com/payloadcms/payload/blob/master/src/auth/operations/logout.ts

You can see here that a Forbidden error will be thrown if you are trying to logout from a different collection vs. the one that you're logged in as. Basically, you can have more than one collection that supports auth, and you might be logged in with one user in collection A, but hitting the logout route from collection B.

This looks to be the only way that you'd be getting a Forbidden error.

[notchris]

Thanks for the prompt response @jmikrut! I've investigated the issue a bit more and can confirm that all of the endpoints I am using are targeting the users collection. It may be possible that my Admins collection, with a user with the same email address, may be interfering somehow...but I'm not sure how that would happen on the users collection endpoint.

[notchris]

I totally figured it out! Turns out I needed credentials: include on the login request, I was only using it on other requests. The weird status errors were actually coming from incorrect promise resolution on my part. Sorry!