Should a logout request be authenticated?
There is no need to protect logout resource.
If a session is present with the logout request; it gets invalidated. Otherwise it gets directly redirected to logout page.
I think there is a difference between a user requested logout vs. token expiry.
The short answer is you definitely must authenticate the /logout
endpoint, to prevent an attacker from forcefully logging out all your users. If you do not validate this endpoint, anyone can logout any user. Hence this endpoint must be protected.
For the situation where both the access and refresh token are expired -- the user tries to go to a page, e.g. /account
and your backend detects that the access token is expired, it will then re-direct to refresh endpoint, e.g. /refresh
.
/refresh
detects that the refresh token is also expired, and now redirects the user to the /login
page. Once the user logs in, they'll get new refresh and access tokens, and all is well with the world again.
If you're keeping a list of all active refresh tokens, then you should update the list during the 2nd user log in, and not require a separate /logout
to be called. However, these token list are typically only validated post token validation, which it won't be if the token is expired.