fix: invoking logout without credentials no longer throws error

okta · Nov 30, 2021 · 7d287c0 · 7d287c0
1 parent f32c25e
commit 7d287c0
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 0 deletions.
diff --git a/src/logout.js b/src/logout.js
@@ -55,6 +55,10 @@ logout.forceLogoutAndRevoke = context => {
   }
   const revokeToken = makeTokenRevoker({ issuer, client_id, client_secret, errorHandler: makeErrorHandler(emitter) });
   return async (req, res /*, next */) => {
+    if (!req.userContext) {
+      return res.sendStatus(401);
+    }
+
     const tokens = req.userContext.tokens;
     const revokeIfExists = token_hint => tokens[token_hint] ? revokeToken({token_hint, token: tokens[token_hint]}) : null;
     const revokes = REVOKABLE_TOKENS.map( revokeIfExists );

diff --git a/test/unit/logout.spec.js b/test/unit/logout.spec.js
@@ -76,6 +76,15 @@ describe('logout', () => {
         };
       });
 
+      describe('logout without active session', () => {
+        it('returns 401', async () => {
+          res.sendStatus = jest.fn();
+          req.userContext = undefined;
+          await logout(req, res);
+          expect(fetch).not.toHaveBeenCalled();
+          expect(res.sendStatus).toHaveBeenCalledWith(401);
+        });
+      });
 
       describe('revoke tokens', () => {
         it('revokes refresh_token', async () => {