JWT token not cleared out from axios headers on logout

[Gerfaut]

Hello,
I noticed that the Authorization header (containing the JWT token) is still present on the next calls just after the logout.

Here are the step to reproduce :

• Login with an existing user ;
• Navigate to produce a call to backend -> the Authorization header is set : OK.
• Go to settings and Logout -> The token is destroyed from the localStorage : OK.
• Don't refresh/reload the page your browser.
• Navigate to produce a call to backend -> the Authorization header is set : NOK.

The headers should be discarded / cleaned out after logout.
As the actions are disabled when the currentUser is not set (and that's correctly done on logout), the impact is low, but this stays quite unsecure.

Thanks a lot for this great example project!

Gerfaut

[erwinant]

Hi, i was wondering, i see there is not validating token for every API endpoint. Are u only check user for every load the route?

[thinh105]

Look like it is a bug,

The Authorization header still contains the token, I saw the code and see no action to clean that,

Test on https://vue-vuex-realworld.netlify.com/

So when we log out,
just visit https://vue-vuex-realworld.netlify.com/#/settings and change something
~> Click Update settings
~> Vola, you can change it, and also automatically login!