I would like to post a minor correction/suggestion. If this is written for a REST API, request.logout() will only remove the user from the session, but the session itself won't be removed from the session store. Instead, in the logout route you should write something like this:
where ExpressResponse is the Response type from express, so as not to clash with Response type from @nestjs/common
request.session.destroy() will remove the session from the store, and on the callback, the session cookie must be deleted since neither Nest nor Passport seem to do this for you. this.config.get("SESSION_NAME") will retrieve the cookie name from a .env file, assuming you set up @nestjs/config library; otherwise just type in the name of the session cookie which by default is connect.sid. Lastly, response.end() will finish the request manually since it the response object was injected.
EDIT: the previous response.clearCookie() call will not work if you had set httpOnly to true, so you must specify the whole cookie's parameters as shown above. Apparently all the previous parameters have to match except max age and expires.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
I would like to post a minor correction/suggestion. If this is written for a REST API,
request.logout()
will only remove the user from the session, but the session itself won't be removed from the session store. Instead, in the logout route you should write something like this:where ExpressResponse is the Response type from express, so as not to clash with Response type from @nestjs/common
request.session.destroy()
will remove the session from the store, and on the callback, the session cookie must be deleted since neither Nest nor Passport seem to do this for you.this.config.get("SESSION_NAME")
will retrieve the cookie name from a .env file, assuming you set up @nestjs/config library; otherwise just type in the name of the session cookie which by default isconnect.sid
. Lastly,response.end()
will finish the request manually since it the response object was injected.EDIT: the previous
response.clearCookie()
call will not work if you had set httpOnly to true, so you must specify the whole cookie's parameters as shown above. Apparently all the previous parameters have to match except max age and expires.