Anonymous User destroyed on Logout

tamarinda · March 10, 2021, 4:07pm

Hi!

On logout of an anonymous user, that user is destroyed hence deleted from the Database. See line 1151 in ParseUser

if (isAnonymous) {
    return currentUser.destroy({ sessionToken: currentSession });
}

My question is regarding the design decision.

I understand to remove the Session and remove the user from disk, but I am wondering how come the user is deleted from the User collection. As any other user, the anonymous user can affect other Collections when they interact in the app (I am using it in React Native), and if the user for some reason logs out and the User gets destroyed, it can leave the Database inconsistent.

For example, an Anonymous user does a purchase of a product and that creates an entry in a Purchase Collection that is related to a User. If the anonymous user logs out, that Purchase is left related to a User that doesn’t exist anymore.

There is probably a good reason for it and I might be missing something. In one hand I would like to know why, in case I might be doing something wrong and if there is any way around it.

Thank you!

davimacedo · March 10, 2021, 7:20pm

I’m not sure about the reason (perhaps because this user would not be able to login again?). As an workaround you can create beforeDelete or afterDelete triggers to your User class in order to maintain the database consistency.

Manuel · March 10, 2021, 7:58pm

Sounds unintuitive to me that an anonymous user is destroyed on logout. If that is really the case and not a bug, then I think this should at least be configurable and have a big warning in the docs.

dplewis · March 10, 2021, 9:22pm

The JS SDK mimics the iOS and Android SDK

Once logged out, an anonymous user cannot be recovered.

It doesn’t specify what cannot be recovered means.

I also don’t see an anonymous user being destroyed in the iOS SDK / client side unless I missed something.

I believe we can remove the deletion. It makes sense.

tamarinda · March 11, 2021, 4:07pm

I’m not sure about the reason (perhaps because this user would not be able to login again?)

I understand the user would not be able to login again, as it should be, but I would have thought that this would be able to be achieved by deleting the Session, no need to delete the User

As an workaround you can create beforeDelete or afterDelete triggers

Awesome! Thank you so much for the suggestion, for now that is what I am using beforeDelete trigger and respond with an error to prevent the deletion of Users.

tamarinda · March 11, 2021, 4:14pm

I think so too, it being configurable would be a good way to go.

Interesting that the iOS SDK works differently. This was also not the case in previous versions of the Javascript SDK:

SDK v1.11.0: in no scenario a user was deleted.
SDK 2.19.0 and master branch: in 2 scenarios, on logout and setCurrentUser

async setCurrentUser(user) {
    const currentUser = await this.currentUserAsync();
    if (currentUser && !user.equals(currentUser) && AnonymousUtils.isLinked(currentUser)) {
      await currentUser.destroy({ sessionToken: currentUser.getSessionToken() })
    }
...
}

dplewis · March 11, 2021, 4:39pm

I was the one that added the AnonymousUtils to the SDK. Now that I think about it you may be right. If you just use linkWith anonymous instead of AnonymousUtils the user doesn’t get deleted.

I’ll open a PR with a fix. Logout doesn’t destroy and setCurrentUser should just strip the anonymous user.

tamarinda · March 11, 2021, 4:55pm

Awesome, thank you @dplewis!

davimacedo · March 11, 2021, 9:59pm

I believe that, if you return an error, the session will not be deleted either.

dplewis · March 19, 2021, 1:24am

I created a PR