Doing Logout in REST with different models

NestorAcevedo1 · August 28, 2024, 11:44pm

I can do a login with different models: User and Client, the REST service works well and it points to the corresponding tables to generate the access token. In each ActiveController I set the right model class.

I can also consume the different REST services from my app from the different controllers but I have an issue when I try to run a logout: whatever ActiveController I set the logout action, Yii2 will call only the user table to check the access token what raises the error if I am for instance with the Client “session”.

The way I have implemented the logout on user and client active controller is just like the following:

    public function actionLogout(): array
    {
        $transaction = Yii::$app->db->beginTransaction();

        $model = $this->findModel($this->request->post('id'));
        $model->access_token = null;
        $model->status = 0;
        if ($model->save()) {
            $transaction->commit();
            Yii::$app->user->logout();
            return ['success' => true];
        }
        $transaction->rollBack();
        $message = '';
        foreach ($model->errors as $key => $error) {
            $message .= "$error[0]\n";
        }
        throw new BadRequestHttpException($message, 400);
    }

And the findModel methods on each controller are:

   // UserController
    protected function findModel($id)
    {
        if (($model =User::findOne(['id' => $id])) !== null) {
            return $model;
        }

        throw new NotFoundHttpException(Yii::t('yii', 'The requested page does not exist.'));
    }

   // ClientController
    protected function findModel($id)
    {
        if (($model = Client::findOne(['id' => $id])) !== null) {
            return $model;
        }

        throw new NotFoundHttpException(Yii::t('yii', 'The requested page does not exist.'));
    }

My question is why in the logout for Client it calls the User model if I’m calling in the findModel the Client model?

evstevemd · August 29, 2024, 11:35am

Can you explain your logout logic (not code)?

NestorAcevedo1 · August 29, 2024, 2:39pm

I try to logout where via post I send the user or client ID and via get I send the access token, more or less at the same way as in the web logout, but with 2 different things to change: the status value and setting the access token to null.

On a first try, the findModel method will check if a user or a client exists, but taking in mind may exists a record in the client or user table with the same ID which isn’t actually trying to logout then I built the logout method in UserController and ClientController classes. What I saw, Yii isn’t going into the actionLogout, then I tried first using the checkAccess method on each one and Yii neither is calling the checkAccess, instead of that, it tries to find directly the record in the User table raising the issue.

–

UPDATE: I’m using the advanced template, using versioning rest and setting them inside common/modules directory. Now, any request with access token is pointing only to user table without to enter inside the checkAccess method.

evstevemd · September 3, 2024, 7:38pm

Rest APIs are expected to be stateless. Why not just make JWT token invalid in some ways so that next request will be 401?