Custom API - logs out user on failure
@kapa.ai - I have a 401 error on a custom end point. When it happens, the user gets logged out - can you search the discord for similar discussions. If you can't, i'll share some more infomation.
6 Replies
Hi @Gareth_Simpson. I'm kapa.ai, your friendly support bot. I will try to answer your question by searching through the knowledge base. :wave:
----------------------
Yes, this is a known and discussed behavior in Wasp. When a 401 error occurs on any endpoint (including custom APIs), Wasp's client logic will clear the auth token, effectively logging the user out in all open tabs. This happens because tabs share localStorage, so a 401 in one tab (even on a page that doesn't require auth) will clear the token for all tabs, resulting in a logout everywhere. This has been confirmed in both Discord discussions and GitHub issues:
- On Discord, users have reported that hitting a 401 on a custom or public endpoint causes a logout in all tabs, due to shared localStorage and the current logic that clears the token on any 401 response. This is considered expected (though not ideal) behavior for now, and is tracked as an open issue for improvement. The suggested solution is to differentiate between a truly invalid/expired token (where logout is correct) and simply being unauthenticated (where logout is not needed) Discord thread, GitHub issue.
- The current implementation means that if you have one tab logged in and another tab where a 401 occurs (for example, by accessing a protected endpoint without being logged in), the auth token is cleared for all tabs, logging you out everywhere. This is acknowledged as a problem and is being discussed for a better solution in the future GitHub issue.
So, you are not alone—this is a known limitation, and the Wasp team is aware and considering improvements. If you have more details or a specific scenario, feel free to share!
----------------------
Note: you can ask me a follow up question by @ mentioning me again :speech_balloon:
----------------------
Sorry @Gareth_Simpson, I seem to be having a bit of trouble. Don't worry though, I've pinged my support and they will try to fix me up! :technologist:
Perhaps try again in 15mins?
@kapa.ai - is this a good plan to resolve it?
Let me check the knowledge base for you again. One moment! :books:
----------------------
Based on the knowledge sources, the proposed plan to resolve the issue—differentiating between an invalid/expired auth token (where clearing the token and logging out is correct) and simply making a request without an auth token (where logout is not needed), possibly using a listener on localStorage changes—has been discussed and is considered a reasonable direction by the Wasp team. The current behavior (clearing the auth token on any 401) is recognized as problematic, especially when multiple tabs are open, and the plan aims to address this by making the logout logic more precise.
However, as of the latest discussions, this solution is still under consideration and has not yet been fully implemented or confirmed as the final approach. The issue remains open, and further testing and refinement may be needed to ensure it works as intended in all scenarios. The Wasp team and community acknowledge this as a valid and promising plan, but it is not yet finalized or documented as the official fix Revisit auth token clearing behavior on 401 responses.
If you have specific requirements or edge cases, sharing them could help inform the ongoing discussion and solution.
----------------------
Note: you can ask me a follow up question by @ mentioning me again :speech_balloon:
----------------------
Sorry @Gareth_Simpson, I seem to be having a bit of trouble. Don't worry though, I've pinged my support and they will try to fix me up! :technologist:
Perhaps try again in 15mins?
I believe this is something @Carlos addressed recently and should be fixed in 0.17.0?
if the endpoint is
/auth/me, yesGitHub
Do not return a 401 error on unauthorized requests to
/auth/me by...Description
Fixes #1880
/auth/me will not return a 401 code for a user who is not logged in, but a 200 with null.
Thus, useAuth() will not print an error to the console when it's called whe...