clean up urls even more

src/backend/InvenTree/InvenTree/urls.py

@@ -94,7 +94,6 @@ apipatterns = [
     path(
         'auth/',
         include([
-            path('logout/', users.api.Logout.as_view(), name='api-logout'),
             path(
                 'login-redirect/',
                 users.api.LoginRedirect.as_view(),
@@ -105,10 +104,9 @@ apipatterns = [
                 include(
                     (build_urlpatterns(Client.BROWSER), 'headless'), namespace='browser'
                 ),
-            ),
+            ),  # Allauth headless logic (only the browser client is included as we only use sessions based auth there)
         ]),
     ),
-    path('_allauth/', include('allauth.headless.urls')),
     # Magic login URLs
     path(
         'email/generate/',
@@ -122,8 +120,10 @@ apipatterns = [
 
 
 backendpatterns = [
-    path('auth/', include('rest_framework.urls', namespace='rest_framework')),
-    path('auth/', auth_request),
+    path(
+        'auth/', include('rest_framework.urls', namespace='rest_framework')
+    ),  # Used for (DRF) browsable API auth
+    path('auth/', auth_request),  # Used for proxies to check if user is authenticated
     path('api/', include(apipatterns)),
     path('api-doc/', SpectacularRedocView.as_view(url_name='schema'), name='api-doc'),
 ]

src/backend/InvenTree/users/api.py

@@ -9,7 +9,6 @@ from django.views.decorators.csrf import ensure_csrf_cookie
 from django.views.generic.base import RedirectView
 
 import structlog
-from drf_spectacular.utils import OpenApiResponse, extend_schema, extend_schema_view
 from rest_framework import exceptions, permissions
 from rest_framework.generics import DestroyAPIView
 from rest_framework.permissions import IsAuthenticated
@@ -216,36 +215,6 @@ class GroupList(GroupMixin, ListCreateAPI):
     ordering_fields = ['name']
 
 
-@extend_schema_view(
-    post=extend_schema(
-        responses={200: OpenApiResponse(description='User successfully logged out')}
-    )
-)
-class Logout(APIView):
-    """API view for logging out via API."""
-
-    serializer_class = None
-
-    def post(self, request):
-        """Logout the current user.
-
-        Deletes user token associated with request.
-        """
-        from InvenTree.middleware import get_token_from_request
-
-        if request.user:
-            token_key = get_token_from_request(request)
-
-            if token_key:
-                try:
-                    token = ApiToken.objects.get(key=token_key, user=request.user)
-                    token.delete()
-                except ApiToken.DoesNotExist:  # pragma: no cover
-                    pass
-
-        return super().logout(request)
-
-
 class GetAuthToken(APIView):
     """Return authentication token for an authenticated user."""
 

src/backend/InvenTree/users/test_api.py

@@ -83,15 +83,6 @@ class UserAPITests(InvenTreeAPITestCase):
         self.assertIn('name', response.data)
         self.assertIn('permissions', response.data)
 
-    # def test_logout(self):
-    #     """Test api logout endpoint."""
-    #     token_key = self.get(url=reverse('api-token')).data['token']
-    #     self.client.logout()
-    #     self.client.credentials(HTTP_AUTHORIZATION='Token ' + token_key)
-
-    #     self.post(reverse('api-logout'), expected_code=200)
-    #     self.get(reverse('api-token'), expected_code=401)
-
     def test_login_redirect(self):
         """Test login redirect endpoint."""
         response = self.get(reverse('api-login-redirect'), expected_code=302)