Don't automatically log in again if the user manually logged out

Fixes #2759
conversejs · Dec 28, 2022 · 6494b34 · 6494b34
1 parent 447fe8b
commit 6494b34
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 2 deletions.
diff --git a/CHANGES.md b/CHANGES.md
@@ -3,6 +3,7 @@
 ## Unreleased
 
 - #326: Add the ability to reset your password
+- #2759: Don't automatically log in again if the user manually logged out
 - #2816: Chat highlight behaves odd
 - #2925: File upload is not always enabled
 - #3001: Add option to save SCRAM details and to use them to stay logged in upon reload

diff --git a/src/headless/core.js b/src/headless/core.js
@@ -243,6 +243,11 @@ export const api = _converse.api = {
                 // Recreate all the promises
                 Object.keys(_converse.promises).forEach(replacePromise);
                 delete _converse.jid
+
+                // Remove the session JID, otherwise the user would just be logged
+                // in again upon reload. See #2759
+                localStorage.removeItem('conversejs-session-jid');
+
                 /**
                  * Triggered once the user has logged out.
                  * @event _converse#logout

diff --git a/src/headless/utils/init.js b/src/headless/utils/init.js
@@ -293,14 +293,21 @@ async function getLoginCredentialsFromURL () {
 
 
 async function getLoginCredentialsFromBrowser () {
+    const jid = localStorage.getItem('conversejs-session-jid');
+    if (!jid) return null;
+
     try {
         const creds = await navigator.credentials.get({'password': true});
         if (creds && creds.type == 'password' && isValidJID(creds.id)) {
+            // XXX: We don't actually compare `creds.id` with `jid` because
+            // the user might have been presented a list of credentials with
+            // which to log in, and we want to respect their wish.
             await setUserJID(creds.id);
             return {'jid': creds.id, 'password': creds.password};
         }
     } catch (e) {
         log.error(e);
+        return null;
     }
 }
 
@@ -319,6 +326,7 @@ async function getLoginCredentialsFromSCRAMKeys () {
 
 export async function attemptNonPreboundSession (credentials, automatic) {
     const { api } = _converse;
+
     if (api.settings.get("authentication") === _converse.LOGIN) {
         // XXX: If EITHER ``keepalive`` or ``auto_login`` is ``true`` and
         // ``authentication`` is set to ``login``, then Converse will try to log the user in,
@@ -342,9 +350,12 @@ export async function attemptNonPreboundSession (credentials, automatic) {
         }
 
         if (!_converse.isTestEnv() && 'credentials' in navigator) {
-            return connect(await getLoginCredentialsFromBrowser());
+            const credentials = await getLoginCredentialsFromBrowser();
+            if (credentials) return connect(credentials);
         }
-        !_converse.isTestEnv() && log.warn("attemptNonPreboundSession: Couldn't find credentials to log in with");
+
+        if (!_converse.isTestEnv()) log.warn("attemptNonPreboundSession: Couldn't find credentials to log in with");
+
     } else if (
         [_converse.ANONYMOUS, _converse.EXTERNAL].includes(api.settings.get("authentication")) &&
         (!automatic || api.settings.get("auto_login"))