Multiple authenticate requests from the same session causes state mismatch or undefined session information #154
Comments
|
I don't see a way around this honestly, as part of the callback there will be cleanup of the temporary session namespace the strategy uses.
Not really, see here https://github.com/panva/node-openid-client/blob/v2.4.5/lib/passport_strategy.js#L129 the cleanup. I'm gonna close this and label as won't fix since it's just exhibiting well defined behaviours during an edge case, not using a state would pose a way bigger issue. And either way, it just surfaces as an issue with the state, but would be the case with everything that's pulled from the session. |
|
Yes, I noticed the cleanup as part of the callback - that could be changed to cleanup |
Describe the bug
The provided passport strategy errors out when multiple
authenticaterequests are issued from the same session, and the error depends on the order in which these requests are handled.This is happening before the
verify()callback of the strategy.Steps to reproduce the behaviour:
Invoke
authenticate()with 2 requests (A then B) but with the same session (e.g. 2 browser tabs). Proceed as the end-user to authenticate with the identity provider those 2 requests in the following orders:did not find expected authorization request details in session, req.session[...] is undefinedbecause the
req.session[sessionKey]was deleted while satisfying B.client.jsbecausereq.session[sessionKey]contains B's state now.Expected behaviour
Both requests should authenticate normally regardless of their order.
Environment:
Additional context
Could this be fixed by modifying what is persisted in the session? Instead of persisting the state in
req.session[sessionKey], persist the state inreq.session[sessionKey][state]?The text was updated successfully, but these errors were encountered: