fix: invoking logout without credentials no longer throws error

okta · Nov 30, 2021 · 8600c41 · 8600c41
1 parent f2d0216
commit 8600c41
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 1 deletion.
diff --git a/src/logout.js b/src/logout.js
@@ -55,6 +55,10 @@ logout.forceLogoutAndRevoke = context => {
   }
   const revokeToken = makeTokenRevoker({ issuer, client_id, client_secret, errorHandler: makeErrorHandler(emitter) });
   return async (req, res /*, next */) => {
+    if (!req.userContext) {
+      return res.sendStatus(401);
+    }
+
     const tokens = req.userContext.tokens;
     const revokeIfExists = token_hint => tokens[token_hint] ? revokeToken({token_hint, token: tokens[token_hint]}) : null;
     const revokes = REVOKABLE_TOKENS.map( revokeIfExists );

diff --git a/test/unit/logout.spec.js b/test/unit/logout.spec.js
@@ -73,7 +73,16 @@ describe('logout', () => {
         };
       });
 
-
+      describe('logout without active session', () => {
+        it('returns 401', async () => {
+          res.sendStatus = jest.fn();
+          req.userContext = undefined;
+          await logout(req, res);
+          expect(fetch).not.toHaveBeenCalled();
+          expect(res.sendStatus).toHaveBeenCalledWith(401);
+        });
+      });
+
       describe('revoke tokens', () => {
         it('revokes refresh_token', async () => {
           const tokenVal = 'sometoken';