although I haven’t authenticated any user yet (i did in a previous session) but I’m still getting a user and an access token, even though I’ve cleared all the cache, including cookies and everything
My question is where does checkSession gets its user info from?
The checkSession() function checks for a user’s session in Auth0 based to the auth0 cookie set in the browser. Usually when there’s a valid cookie and user’s session still exists in Auth0(duration of the session controlled by the global tenant SSO settings), the tokens will be renewed and returned.
You most likely did not clear the auth0 cookie on the browser set for the Auth0 domain that your Application authenticated against. To ensure the cookie is deleted, you can open chrome://settings/siteData in a Chromium browser, find your Auth0 domain and delete the auth0 cookie there. Now the checkSession() call would not return any tokens.
A better way to ensure user’s session is cleared in the Identity Provider (Auth0) is to redirect user to https://YOUR_DOMAIN/v2/logout, more on Logout here: Log Users Out of Auth0