Go client's UpdateLogoutFlow doesn't deactivate session

peterkulacs commented 1 year ago

Preflight checklist

[X] I could not find a solution in the existing issues, docs, nor discussions.
[X] I agree to follow this project's Code of Conduct.
[X] I have read and am following this repository's Contribution Guidelines.
[ ] This issue affects my Ory Network project.
[X] I have joined the Ory Community Slack.
[ ] I am signed up to the Ory Security Patch Newsletter.

Describe the bug

The session stays active after calling the FrontendApi.UpdateLogoutFlow with the logout token. 401 error returned.

Reproducing the bug

Code:

cookies :=  csrfCookie.String()+";"+sessionCookie.String()
flow, res, err := client.FrontendApi.CreateBrowserLogoutFlow(ctx).Cookie(cookies).Execute()

if err != nil {
    ...
}

_, updateError := client.FrontendApi.UpdateRecoveryFlow().Token(flow.LogoutToken)

Relevant log output

updateError: 

{"error":{"id":"session_inactive","code":401,"status":"Unauthorized","reason":"No active session was found in this request.","message":"request does not have a valid authentication session"}}

Relevant configuration

No response

Version

oryd/kratos:v0.11.1. and github.com/ory/client-go v1.1.21

On which operating system are you observing this issue?

macOS

In which environment are you deploying?

None

Additional Context

No response

jonas-jonas commented 1 year ago

Hard to tell what's going on here, but I did notice, that you're calling UpdateRecoveryFlow instead of UpdateLogoutFlow.

PhakornKiong commented 1 year ago

@Benehiko @jonas-jonas @aeneasr I've ran into this issue as well.

my code snippets

resp, _, _ := is.oryAPI.FrontendApi.ToSession(ctx).Cookie(cookieString).Execute()

        // Print true
    rlog.Debug(fmt.Sprintf("Check session %+v", *(resp.Active)))

    logoutFlow := is.oryAPI.FrontendApi.CreateBrowserLogoutFlow(ctx)

    flow, res, err := logoutFlow.Cookie(cookieString).Execute()

    if err != nil {
        return
    }

    // Printed logout token and url
    rlog.Warn(fmt.Sprintf("token logout %+v", flow))

        // Err is returned
    res, err = is.oryAPI.FrontendApi.UpdateLogoutFlow(ctx).Token(flow.LogoutToken).Execute()

    if err != nil {
        return
    }

Firstly, i've checked if that my session is indeed active, and i managed to create logoutToken successfully.

However, when i try to UpdateLogoutFlow(), is fails with the following "reason":"No active session was found in this request.","message":"request does not have a valid authentication session"

After some troubleshooting and manipulation of the go SDK code directly, i noticed that cookie is still required to be passed as part of the request for UpdatedLogoutFlow.

res, err = is.oryAPI.FrontendApi.UpdateLogoutFlow(ctx).Token(flow.LogoutToken).Cookie(cookieString).Execute()

I added the following to api_frontend.go in client-go@v1.1.25

func (r FrontendApiUpdateLogoutFlowRequest) Cookie(cookie string) FrontendApiUpdateLogoutFlowRequest {
    r.cookie = &cookie
    return r
}

I'm unsure how to fix this, is it just adding the following chunk to UpdateLogoutFlow in a new spec? cookies

PhakornKiong commented 1 year ago

Or do we fix it like this PR? https://github.com/ory/kratos/pull/2467

ory / sdk