private void TokenLogout(string accessHeadAndPayload, TokenManager tokenManager, HttpContextBase context)
{
if (!String.IsNullOrWhiteSpace(accessHeadAndPayload))
{
var authCookie = CookieHelper.GetCookie(context.Request, AccessSignatureCookieName);
if (authCookie == null)
{
throw new UnauthorizedAccessException("Missing access cookie.");
}
var accessSignature = authCookie.Value;
var principal = tokenManager.ValidateToken(accessHeadAndPayload + "." + accessSignature, false);
if (principal == null)
{
throw new UnauthorizedAccessException("Invalid access token.");
}
bool.TryParse(AuthenticationHelper.GetRequestParameterValue(context, "ultimateLogout"), out var ultimateLogout);
// ultimately log out only if the user has not been logged out already, if he has, just a local logout executes
if (ultimateLogout || Configuration.Security.DefaultUltimateLogout)
{
ultimateLogout = !UserHasLoggedOut(tokenManager, principal.Identity.Name, accessHeadAndPayload, out var portalPrincipal);
using (AuthenticationHelper.GetSystemAccount())
{
context.User = portalPrincipal;
}
}
_logoutExecutor?.Logout(ultimateLogout);
CookieHelper.DeleteCookie(context.Response, AccessSignatureCookieName);
CookieHelper.DeleteCookie(context.Response, AccessHeadAndPayloadCookieName);
CookieHelper.DeleteCookie(context.Response, RefreshSignatureCookieName);
context.Response.StatusCode = HttpResponseStatusCode.Ok;
}
}
