Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Go client's UpdateLogoutFlow doesn't deactivate session #255

Closed
4 of 6 tasks
peterkulacs opened this issue Mar 2, 2023 · 3 comments
Closed
4 of 6 tasks

Go client's UpdateLogoutFlow doesn't deactivate session #255

peterkulacs opened this issue Mar 2, 2023 · 3 comments
Labels
bug Something is not working.

Comments

@peterkulacs
Copy link

Preflight checklist

Describe the bug

The session stays active after calling the FrontendApi.UpdateLogoutFlow with the logout token. 401 error returned.

Reproducing the bug

Code:

cookies :=  csrfCookie.String()+";"+sessionCookie.String()
flow, res, err := client.FrontendApi.CreateBrowserLogoutFlow(ctx).Cookie(cookies).Execute()

if err != nil {
	...
}

_, updateError := client.FrontendApi.UpdateRecoveryFlow().Token(flow.LogoutToken)

Relevant log output

updateError: 

{"error":{"id":"session_inactive","code":401,"status":"Unauthorized","reason":"No active session was found in this request.","message":"request does not have a valid authentication session"}}

Relevant configuration

No response

Version

oryd/kratos:v0.11.1. and github.com/ory/client-go v1.1.21

On which operating system are you observing this issue?

macOS

In which environment are you deploying?

None

Additional Context

No response
@peterkulacs peterkulacs added the bug Something is not working. label Mar 2, 2023
@jonas-jonas
Copy link
Collaborator

Hard to tell what's going on here, but I did notice, that you're calling UpdateRecoveryFlow instead of UpdateLogoutFlow.

@PhakornKiong
Copy link

PhakornKiong commented May 11, 2023
edited

@Benehiko @jonas-jonas @aeneasr
I've ran into this issue as well.

my code snippets

resp, _, _ := is.oryAPI.FrontendApi.ToSession(ctx).Cookie(cookieString).Execute()

        // Print true
	rlog.Debug(fmt.Sprintf("Check session %+v", *(resp.Active)))
	
	logoutFlow := is.oryAPI.FrontendApi.CreateBrowserLogoutFlow(ctx)

	flow, res, err := logoutFlow.Cookie(cookieString).Execute()

	if err != nil {
		return
	}
	
	// Printed logout token and url
	rlog.Warn(fmt.Sprintf("token logout %+v", flow))
 
        // Err is returned
	res, err = is.oryAPI.FrontendApi.UpdateLogoutFlow(ctx).Token(flow.LogoutToken).Execute()

	if err != nil {
		return
	}

Firstly, i've checked if that my session is indeed active, and i managed to create logoutToken successfully.

However, when i try to UpdateLogoutFlow(), is fails with the following
"reason":"No active session was found in this request.","message":"request does not have a valid authentication session"

After some troubleshooting and manipulation of the go SDK code directly, i noticed that cookie is still required to be passed as part of the request for UpdatedLogoutFlow.

res, err = is.oryAPI.FrontendApi.UpdateLogoutFlow(ctx).Token(flow.LogoutToken).Cookie(cookieString).Execute()

I added the following to api_frontend.go in client-go@v1.1.25

func (r FrontendApiUpdateLogoutFlowRequest) Cookie(cookie string) FrontendApiUpdateLogoutFlowRequest {
	r.cookie = &cookie
	return r
}

I'm unsure how to fix this, is it just adding the following chunk to UpdateLogoutFlow in a new spec?
cookies

@PhakornKiong
Copy link

PhakornKiong commented May 11, 2023
edited

Or do we fix it like this PR?
ory/kratos#2467

@PhakornKiong PhakornKiong mentioned this issue May 16, 2023
Merged
7 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something is not working.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jonas-jonas @PhakornKiong @peterkulacs