search

nhost / hasura-backend-plus

🔑Auth and 📦Storage for Hasura. The quickest way to get Auth and Storage working for your next app based on Hasura.
https://nhost.github.io/hasura-backend-plus/
MIT License
1.17k stars 187 forks source link

400 Bad Request error after logout #587

Closed migsar closed 3 years ago

migsar commented 3 years ago

I'm using Insomnia API Client and not a browser, so this might be a problem specific to how insomnia handles cookies, still I think it is important to document it.

After logging out I cannot do any other request, I get an 400 response and the following log:

hasura-backend-plus_1  | ::ffff:127.0.0.1 - - [10/Jun/2021:10:31:40 +0000] "GET /healthz HTTP/1.1" 200 2
hasura-backend-plus_1  | TypeError: Cannot read property 'unauthorized' of undefined
hasura-backend-plus_1  |     at authMiddleware (/app/dist/middlewares/auth.js:54:29)
hasura-backend-plus_1  |     at Layer.handle [as handle_request] (/app/node_modules/express/lib/router/layer.js:95:5)
hasura-backend-plus_1  |     at trim_prefix (/app/node_modules/express/lib/router/index.js:317:13)
hasura-backend-plus_1  |     at /app/node_modules/express/lib/router/index.js:284:7
hasura-backend-plus_1  |     at Function.process_params (/app/node_modules/express/lib/router/index.js:335:12)
hasura-backend-plus_1  |     at next (/app/node_modules/express/lib/router/index.js:275:10)
hasura-backend-plus_1  |     at cookieParser (/app/node_modules/cookie-parser/index.js:71:5)
hasura-backend-plus_1  |     at Layer.handle [as handle_request] (/app/node_modules/express/lib/router/layer.js:95:5)
hasura-backend-plus_1  |     at trim_prefix (/app/node_modules/express/lib/router/index.js:317:13)
hasura-backend-plus_1  |     at /app/node_modules/express/lib/router/index.js:284:7
hasura-backend-plus_1  |     at Function.process_params (/app/node_modules/express/lib/router/index.js:335:12)
hasura-backend-plus_1  |     at next (/app/node_modules/express/lib/router/index.js:275:10)
hasura-backend-plus_1  |     at initialize (/app/node_modules/passport/lib/middleware/initialize.js:53:5)
hasura-backend-plus_1  |     at Layer.handle [as handle_request] (/app/node_modules/express/lib/router/layer.js:95:5)
hasura-backend-plus_1  |     at trim_prefix (/app/node_modules/express/lib/router/index.js:317:13)
hasura-backend-plus_1  |     at /app/node_modules/express/lib/router/index.js:284:7

On the docker instance with the dist version, the problem is the following, but I couldn't translate it to the source code version (didn't try that much):

if ('permission_variables' in cookiesInUse) {
        try {
            req.permission_variables = helpers_1.getPermissionVariablesFromCookie(req);
        }
        catch (err) {
           // HERE boom IS undefined
            return res.boom.unauthorized(err.message);
        }
    }

I realize that the problem is that /auth/logout have the following headers, that still have cookies but with empty values.

...
Set-Cookie: refresh_token=; Path=/; Expires=Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: permission_variables=; Path=/; Expires=Thu, 01 Jan 1970 00:00:00 GMT
...

If I completely (manually) delete the cookies it start working again.

elitan commented 3 years ago 
...
Set-Cookie: refresh_token=; Path=/; Expires=Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: permission_variables=; Path=/; Expires=Thu, 01 Jan 1970 00:00:00 GMT
...

These cookies should not be sent by the client (browser / API client) given they expired in 1970 (it's 2021 now ;))

I think this is an issue with the API client. We're using res.clearCookie() internally