如果您在 JWT 的 Express 后端的登录路由中的响应上设置 cookie 并使用“httpOnly”选项,则即使使用“universal-”等第三方库,您也无法从客户端/react 访问令牌cookie' 或 'document.cookie'。
您需要清除后端响应中的 cookie,例如当用户注销时。
前端:
// React redux logout action
export const logout = () => async (dispatch) => {
try {
await axios.get('/api/auth/logout')
localStorage.removeItem('userInfo')
dispatch({ type: type.USER_LOGOUT })
} catch (error) {
console.log(error)
}
}
Backend:
const User = require('../../models/userModel')
const generateToken = require('../../utils/generateToken')
// @desc Auth user & get token
// @route POST /api/auth/login
// @access Public
const login = async (req, res) => {
const { email, password } = req.body
try {
const user = await User.findOne({ email })
if (user && (await user.verifyPassword(password))) {
let token = generateToken(user._id)
res.cookie('token', token, {
maxAge: 7200000, // 2 hours
secure: false, // set to true if you're using https
httpOnly: true,
})
res.json({
_id: user._id,
name: user.name,
email: user.email,
isAdmin: user.isAdmin,
token: token,
})
} else {
res
.status(401)
.json({ success: false, message: 'Invalid email or password' })
}
} catch (error) {
res.status(500).json({ success: false, message: error.toString() })
}
}
// @desc Logout controller to clear cookie and token
// @route GET /api/auth/logout
// @access Private
const logout = async (req, res) => {
// Set token to none and expire after 5 seconds
res.cookie('token', 'none', {
expires: new Date(Date.now() + 5 * 1000),
httpOnly: true,
})
res
.status(200)
.json({ success: true, message: 'User logged out successfully' })
}
module.exports = {
login,
logout,
}