Thanks to visit codestin.com
Credit goes to github.com

Skip to content

feat(users-permissions): add refresh and logout actions to default permissions #24877

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
jhoward1994 merged 4 commits into from
Dec 2, 2025
Merged

feat(users-permissions): add refresh and logout actions to default permissions #24877

jhoward1994 merged 4 commits into from
Dec 2, 2025

Conversation

@jhoward1994
Copy link
Contributor

@jhoward1994 jhoward1994 commented Nov 19, 2025
edited
Loading

What does it do?

Adds missing default permissions for the auth.refresh and auth.logout endpoints to the DEFAULT_PERMISSIONS array in the users-permissions plugin:

  • auth.refreshpublic role (allows unauthenticated token refresh)
  • auth.logoutauthenticated role (requires valid access token)

Why is it needed?

403 Forbidden when calling /api/auth/refresh, as it was never added to DEFAULT_PERMISSIONS. Even with a valid refresh token, because the public role had no permission to access the endpoint.

How to test it?

Prerequisites:

  • Configure users and permissions with jwtManagement: 'refresh'

Test refresh endpoint (public access):

# Login to get refresh token
curl -X POST http://localhost:1337/api/auth/local \
  -H "Content-Type: application/json" \
  -d '{"identifier":"[email protected]","password":"password"}'

# Refresh WITHOUT Authorization header (should return 200, not 403)
curl -X POST http://localhost:1337/api/auth/refresh \
  -H "Content-Type: application/json" \
  -d '{"refreshToken":"<token-from-login>"}'

Expected: Returns HTTP 200 with new JWT and refreshToken

Test logout endpoint (authenticated access):
# Should require Authorization header
curl -X POST http://localhost:1337/api/auth/logout \
  -H "Authorization: Bearer <jwt-token>"

Expected: Returns HTTP 200 and invalidates session

Related issue(s)/PR(s)

Fixes #24867
Fixes #24871

@vercel
Copy link

vercel bot commented Nov 19, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Preview Comments Updated (UTC)
contributor-docs Error Error Dec 2, 2025 9:22am

@jhoward1994 jhoward1994 self-assigned this Nov 19, 2025
@jhoward1994 jhoward1994 added the source: plugin:users-permissions Source is plugin/users-permissions package label Nov 19, 2025
@jhoward1994 jhoward1994 marked this pull request as ready for review November 19, 2025 14:13
@jhoward1994 jhoward1994 added the pr: fix This PR is fixing a bug label Nov 19, 2025
@derrickmehaffy derrickmehaffy mentioned this pull request Nov 19, 2025
Closed
innerdvations
innerdvations reviewed Nov 20, 2025
View reviewed changes
Copy link
Contributor

@innerdvations innerdvations left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks like the right solution, but I haven't tested it!

@jhoward1994
Copy link
Contributor Author

jhoward1994 commented Nov 20, 2025
edited
Loading

Do you think we're missing a change like this too ?

In packages/plugins/users-permissions/server/services/users-permissions.js it looks like we only assign DEFAULT_PERMISSIONS on new apps not during an update. e.g. https://github.com/strapi/strapi/blob/01a33dcd37f76c283f3caa24260aa455819deb02/packages/plugins/users-permissions/server/services/users-permissions.js#L191-L192

So even with this change, users who are upgrading would need to go into the users permissions settings in the admin to give the public role access to the refresh endpoint.

It feels like we need more sophisticated role default logic that tracks which permissions have been initialised?

@innerdvations
For now I suggest we go ahead with this change and track that for later ?

@jhoward1994 jhoward1994 requested a review from nclsndr November 21, 2025 09:26
@jhoward1994 jhoward1994 added this to the 5.31.3 milestone Dec 2, 2025
@jhoward1994 jhoward1994 merged commit edac499 into develop Dec 2, 2025
133 of 134 checks passed
@jhoward1994 jhoward1994 deleted the fix/up-auth branch December 2, 2025 10:21
@trunk-io
Copy link

trunk-io bot commented Dec 2, 2025
edited
Loading

Static BadgeStatic BadgeStatic BadgeStatic Badge

View Full Report ↗︎Docs

@remidej remidej modified the milestones: 5.31.3, 5.31.4 Dec 2, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@innerdvations innerdvations innerdvations approved these changes

@nclsndr nclsndr Awaiting requested review from nclsndr

Assignees

@jhoward1994 jhoward1994

Labels

pr: fix This PR is fixing a bug source: plugin:users-permissions Source is plugin/users-permissions package

Projects

None yet

Milestone

5.32.0

Development

Successfully merging this pull request may close these issues.

/auth/refresh doesn't work without Bearer header No refresh token when login

4 participants

@jhoward1994 @innerdvations @remidej