Logout crashes app: Cannot read property 'tokens' of undefined

froyoga commented 2 years ago

I'm submitting this issue for the package(s):

[ ] jwt-verifier
[X] oidc-middleware

I'm submitting a:

[X] Bug report
[ ] Feature request
[ ] Other (Describe below)

Current behavior

I am calling the oidc-middleware autogenerated endpoint /logout when this occurs. It doesn't always happen, so I'm able to log out fine most of the time. However, when it does happen my app completely crashes.

2021-10-12T13:56:57.681325+00:00 app[web.1]: /app/node_modules/@okta/oidc-middleware/src/logout.js:58
2021-10-12T13:56:57.681346+00:00 app[web.1]: const tokens = req.userContext.tokens;
2021-10-12T13:56:57.681347+00:00 app[web.1]: ^
2021-10-12T13:56:57.681348+00:00 app[web.1]:
2021-10-12T13:56:57.681348+00:00 app[web.1]: TypeError: Cannot read property 'tokens' of undefined
2021-10-12T13:56:57.681349+00:00 app[web.1]: at /app/node_modules/@okta/oidc-middleware/src/logout.js:58:36
2021-10-12T13:56:57.681349+00:00 app[web.1]: at Layer.handle [as handle_request] (/app/node_modules/express/lib/router/layer.js:95:5)
2021-10-12T13:56:57.681350+00:00 app[web.1]: at next (/app/node_modules/express/lib/router/route.js:137:13)
2021-10-12T13:56:57.681350+00:00 app[web.1]: at Route.dispatch (/app/node_modules/express/lib/router/route.js:112:3)
2021-10-12T13:56:57.681350+00:00 app[web.1]: at Layer.handle [as handle_request] (/app/node_modules/express/lib/router/layer.js:95:5)
2021-10-12T13:56:57.681351+00:00 app[web.1]: at /app/node_modules/express/lib/router/index.js:281:22
2021-10-12T13:56:57.681351+00:00 app[web.1]: at Function.process_params (/app/node_modules/express/lib/router/index.js:335:12)
2021-10-12T13:56:57.681351+00:00 app[web.1]: at next (/app/node_modules/express/lib/router/index.js:275:10)
2021-10-12T13:56:57.681352+00:00 app[web.1]: at SessionStrategy.strategy.pass (/app/node_modules/passport/lib/middleware/authenticate.js:343:9)
2021-10-12T13:56:57.681353+00:00 app[web.1]: at SessionStrategy.authenticate (/app/node_modules/passport/lib/strategies/session.js:75:10)

Expected behavior

I would be able to log out successfully and my app doesn't crash

Minimal reproduction of the problem with instructions

<form action="/logout" method="post>
    <button type="submit">Log out</button>
</form>

Extra information about the use case/user story you are trying to implement

Environment

Package Version: "@okta/oidc-middleware": "^4.2.0"
Browser: Chrome Version 94.0.4606.71 (Official Build) (arm64)
OS: macOS 11.5.2
Node version (node -v): v16.0.0
Other:

shuowu commented 2 years ago

@froyoga The userContext object can be undefined when the user is not authenticated. We can improve the logout method to not crash when the userContext is not available.

Before the fix is released, can you check req.userContext in your application code as a workaround?

Internal Ref: OKTA-436562

froyoga commented 2 years ago

Yeah, I was thinking that's what I'll have to do. Here's my entire route method, where I log out locally and then attempt to log out of Okta:

app.get("/session-logout", (req: Request, res: Response, next: NextFunction) => {
    try {
        if (req.session) {
            req.session.destroy((err) => {
                if (err) {
                    return next(createError(400, "Unable to logout."));
                }
            });
        }

        if ((req as any).userContext) {
            req.url = "/logout";
            req.method = "POST";

            return app._router.handle(req, res, next)
        } else {
            return res.redirect("/");
        }
    } catch (err) {
        return next(createError(500, err.message));
    }
});

okta / okta-oidc-middleware