fix: remove session cookie on logout (#1587)

Before, the logout endpoint would invalidate the session cookie, but not remove it. This was a regression introduced in 0.7.0. This patch resolves that issue. Closes #1584
ory · Jul 23, 2021 · cdb30bb · cdb30bb
1 parent cc34996
commit cdb30bb
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 2 deletions.
diff --git a/selfservice/flow/logout/handler.go b/selfservice/flow/logout/handler.go
@@ -248,7 +248,7 @@ func (h *Handler) submitLogout(w http.ResponseWriter, r *http.Request, ps httpro
 		return
 	}
 
-	if err := h.d.SessionPersister().RevokeSessionByToken(r.Context(), sess.Token); err != nil {
+	if err := h.d.SessionManager().PurgeFromRequest(r.Context(), w, r); err != nil {
 		h.d.SelfServiceErrorManager().Forward(r.Context(), w, r, err)
 		return
 	}

diff --git a/selfservice/flow/logout/handler_test.go b/selfservice/flow/logout/handler_test.go
@@ -3,6 +3,7 @@ package logout_test
 import (
 	"context"
 	"encoding/json"
+	"fmt"
 	"net/http"
 	"net/http/cookiejar"
 	"net/url"
@@ -107,9 +108,11 @@ func TestLogout(t *testing.T) {
 		t.Run("type=browser", func(t *testing.T) {
 			hc, logoutUrl := getLogoutUrl(t)
 			originalCookies := hc.Jar.Cookies(urlx.ParseOrPanic(public.URL))
+			require.Contains(t, fmt.Sprintf("%v", hc.Jar.Cookies(urlx.ParseOrPanic(public.URL))), "ory_kratos_session")
 
 			body, res := makeBrowserLogout(t, hc, logoutUrl)
 			assert.EqualValues(t, public.URL+"/session/browser/get", res.Request.URL.String())
+			require.NotContains(t, fmt.Sprintf("%v", hc.Jar.Cookies(urlx.ParseOrPanic(public.URL))), "ory_kratos_session")
 
 			assert.EqualValues(t, http.StatusUnauthorized, res.StatusCode, "%s", body)
 			assert.EqualValues(t, "No active session was found in this request.", gjson.GetBytes(body, "error.reason").String())
@@ -121,11 +124,13 @@ func TestLogout(t *testing.T) {
 		t.Run("type=ajax", func(t *testing.T) {
 			hc, logoutUrl := getLogoutUrl(t)
 			originalCookies := hc.Jar.Cookies(urlx.ParseOrPanic(public.URL))
+			require.Contains(t, fmt.Sprintf("%v", hc.Jar.Cookies(urlx.ParseOrPanic(public.URL))), "ory_kratos_session")
 
 			body, res := testhelpers.HTTPRequestJSON(t, hc, "GET", logoutUrl, nil)
 			assert.EqualValues(t, logoutUrl, res.Request.URL.String())
 
 			assert.EqualValues(t, http.StatusNoContent, res.StatusCode, "%s", body)
+			require.NotContains(t, fmt.Sprintf("%v", hc.Jar.Cookies(urlx.ParseOrPanic(public.URL))), "ory_kratos_session")
 
 			// Logout means CSRF has also been changed.
 			ensurePrincipalChange(t, originalCookies)

diff --git a/spec/api.json b/spec/api.json
@@ -2144,7 +2144,7 @@
       "name": "Apache 2.0"
     },
     "title": "Ory Kratos API",
-    "version": "v0.7.1-alpha.1"
+    "version": ""
   },
   "openapi": "3.0.3",
   "paths": {