Don't automatically log in again if the user manually logged out

Fixes #2759
2022-12-28 09:41:53 +01:00 · 2022-12-28 09:41:53 +01:00 · 6494b34da3
parent 447fe8ba08
commit 6494b34da3
3 changed files with 19 additions and 2 deletions
--- a/CHANGES.md
+++ b/CHANGES.md
@ -3,6 +3,7 @@
 ## Unreleased

 - #326: Add the ability to reset your password
+- #2759: Don't automatically log in again if the user manually logged out
 - #2816: Chat highlight behaves odd
 - #2925: File upload is not always enabled
 - #3001: Add option to save SCRAM details and to use them to stay logged in upon reload
--- a/src/headless/core.js
+++ b/src/headless/core.js
@ -243,6 +243,11 @@ export const api = _converse.api = {
                // Recreate all the promises
                Object.keys(_converse.promises).forEach(replacePromise);
                delete _converse.jid
+
+                // Remove the session JID, otherwise the user would just be logged
+                // in again upon reload. See #2759
+                localStorage.removeItem('conversejs-session-jid');
+
                /**
                 * Triggered once the user has logged out.
                 * @event _converse#logout
--- a/src/headless/utils/init.js
+++ b/src/headless/utils/init.js
@ -293,14 +293,21 @@ async function getLoginCredentialsFromURL () {


 async function getLoginCredentialsFromBrowser () {
+    const jid = localStorage.getItem('conversejs-session-jid');
+    if (!jid) return null;
+
    try {
        const creds = await navigator.credentials.get({'password': true});
        if (creds && creds.type == 'password' && isValidJID(creds.id)) {
+            // XXX: We don't actually compare `creds.id` with `jid` because
+            // the user might have been presented a list of credentials with
+            // which to log in, and we want to respect their wish.
            await setUserJID(creds.id);
            return {'jid': creds.id, 'password': creds.password};
        }
    } catch (e) {
        log.error(e);
+        return null;
    }
 }

@ -319,6 +326,7 @@ async function getLoginCredentialsFromSCRAMKeys () {

 export async function attemptNonPreboundSession (credentials, automatic) {
    const { api } = _converse;
+
    if (api.settings.get("authentication") === _converse.LOGIN) {
        // XXX: If EITHER ``keepalive`` or ``auto_login`` is ``true`` and
        // ``authentication`` is set to ``login``, then Converse will try to log the user in,
@ -342,9 +350,12 @@ export async function attemptNonPreboundSession (credentials, automatic) {
        }

        if (!_converse.isTestEnv() && 'credentials' in navigator) {
-            return connect(await getLoginCredentialsFromBrowser());
+            const credentials = await getLoginCredentialsFromBrowser();
+            if (credentials) return connect(credentials);
        }
-        !_converse.isTestEnv() && log.warn("attemptNonPreboundSession: Couldn't find credentials to log in with");
+
+        if (!_converse.isTestEnv()) log.warn("attemptNonPreboundSession: Couldn't find credentials to log in with");
+
    } else if (
        [_converse.ANONYMOUS, _converse.EXTERNAL].includes(api.settings.get("authentication")) &&
        (!automatic || api.settings.get("auto_login"))