Logout succeeds without token revocation

[sshymko]

Built-in endpoint /logout returns successful 200 OK status even when no tokens (access and/or refresh) have been revoked. That can happen when no tokens have been passed as part of a request as they're not required.

This behavior opens the door for mistakes in a client application that can easily go unnoticed because the "logout" appears to succeed.

The expected behavior would be to require passing access token. The call should succeed upon invalidation of a known token only.

Refresh token being optional allows to mistakenly omit it in the request as well. That can easily happen due to the domain/path scope of cookies. In this case the "logout" will be misinterpreted as successful even though the refresh token remains valid.