Add a Log Out endpoint available when the session API auth feature flag is enabled

[GPortas]

Overview of the Feature Request

Initially, to emulate the JSF Log Out feature in the SPA, we considered the option of removing the JSESSIONID session cookie from the React application code, by accessing the browser cookies using a cookie management library. This solution would have the trade-off of not terminating the session in the backend, as JSF does when clicking log out, but considering the temporary lifetime of the session based API authentication, and that it will be executed on a closed and small beta testing environment, we did not find it a bad solution.

The problem with the previous solution and what makes it unfeasible is that the JSESSIONID cookie is HttpOnly, which means that it cannot be read or managed from javascript code. This has forced us to have to enable an endpoint to perform the Log Out.

Although the endpoint is publicly exposed, it only works when the feature flag is enabled, returning a server error otherwise. When the API evolves towards the final authentication mechanism, the logic of this endpoint will be modified to make it standard for all authentication mechanisms subject to Log Out (API Key is not subject to Log Out).

What kind of user is the feature intended for?

Dataverse frontend developers

What inspired the request?

• Add Login / Logout mechanism dataverse-frontend#53

What existing behavior do you want changed?

N/A

Any brand new behavior do you want to add to Dataverse Frontend?

New Log Out endpoint

Any related open or closed issues to this feature request?

• Add Login / Logout mechanism dataverse-frontend#53
• Add use case to get the current authenticated user given an auth cookie dataverse-client-javascript#56