Headless Logout should return 200 instead of 401
semihsezer opened this issue · 2 comments
I find it a bit unusual that the Headless Logout endpoint returns 401 on a successful logout. Shouldn't it return 200 instead? I am not an expert on this topic by any means - so please feel free to enlighten me! :)
This is by design. The various endpoints return the status of the authentication process, and not necessarily that of the individual request. So, for example, if you pass the initial login form successfully but still need to pass the 2FA stage, you are not authenticated, meaning, that initial login also does not return a 200 but a 401. Note that this simplifies the client implementation as well. You can simply monitor all (allauth) responses, and if a 401 is returned you logout the user.
@pennersr thanks for your answer and explaining this - that's very helpful and it makes sense 👌