signOut() does not work if not using middleware

[dustinboss]

The signOut method does not work as expected if the application is not using the authkit-nextjs middleware.

I am not using the auth middleware. Instead, I've created my own middleware using the authkit (as supported in the authkit-nextjs docs). When I call the signOut method, it successfully removes the wos-session cookie, but it doesn't remotely logout of the WorkOS domain. As a result, the next time the user goes to the sign-in endpoint, it automatically logs them in because they're still signed in to the WorkOS domain.

This seems to be happening because the signOut method uses withAuth to get the Session ID, but I believe that withAuth only works on routes that are using the authkit-nextjs middleware. As a result, it gets no Session ID and so doesn't ever attempt to logout remotely. It also doesn't throw any error or give any indication that it didn't find a Session ID.

Here are some possible solutions:

1. signOut method can read the Session ID in some other way, so it doesn't rely on the middleware.

2. authkit-nextjs can make expose a method that allows the user to manually delete the wos-session cookie. This would make it easier to build customer sign out flows.

Thank you!

[ftzi]

Up

[GMkonan]

Had this problem recently and agree. There should be at least some clear log to point out this information, since I only understood what was happening after looking at the implementation and understanding that if sessionId is not present you just get the cookie deleted and is redirected with no further info. Should the signOut function really complete when the session wasnt closed and just the cookie was cleared?

[nicknisi]

Yeah, I think we could check the cookie itself for the session ID and then try and sign out from there. I opened up #296 to address.