workos-node icon indicating copy to clipboard operation
workos-node copied to clipboard
verified publisher icon workos

Error: Failed to extract session ID for logout URL: invalid_session_cookie

Open austinm911 opened this issue 1 year ago • 1 comments

On "@workos-inc/node": "^7.33.0"

I'm having issues accessing the logout URL.

// Hono cloudflare route
.get('/logout', async (c) => {
		const cookieHeader = c.req.header('cookie')
		const { sessionCookie } = getWosSessionCookie(cookieHeader)

		const workos = new WorkOS(c.env.WORKOS_API_KEY, {
			clientId: c.env.WORKOS_CLIENT_ID,
		})

		const { result: session, error } = await mightFail(
			workos.userManagement.loadSealedSession({
				sessionData: sessionCookie,
				cookiePassword: c.env.WORKOS_COOKIE_PASSWORD,
			}),
		)

		// I can see the session here
		console.log('🚀 ~ file: auth.ts:141 ~ .get ~ session:', session)

		if (error) {
			return c.json({ error: 'Failed to load sealed session' }, 400)
		}


		const { result: logoutUrl, error: logoutError } = await mightFail(session.getLogoutUrl())

		if (logoutError) {
			// errors here
			console.error('🚀 ~ file: auth.ts:153 ~ .get ~ logoutError:', logoutError)
			return c.json({ error: 'Failed to get logout URL' }, 400)
		}

		console.log('🚀 ~ file: auth.ts:155 ~ .get ~ logoutUrl:', logoutUrl)

		// deleteCookie(c, 'wos-session')

		return c.json({
			logoutUrl,
			message: 'Logout initiated',
		})

Session logs out okay with the session data (containing the sealed token)

🚀 ~ file: auth.ts:150 ~ .get ~ session: Session {
  userManagement: <ref *1> UserManagement {
    workos: WorkOSWorker {
      key: 'sk_test_aBHMmo',
		...
	}
}

Error

✘ [ERROR] 🚀 ~ file: auth.ts:153 ~ .get ~ logoutError: Error: Failed to extract session ID for logout URL: invalid_session_cookie

      at Session.<anonymous>
  (file:///Users/am/Coding/app/node_modules/@workos-inc/node/lib/user-management/session.js:149:23)
      at Generator.next (<anonymous>)
      at fulfilled
  (file:///Users/am/Coding/app/node_modules/@workos-inc/node/lib/user-management/session.js:5:58)

austinm911 avatar Nov 20 '24 00:11 austinm911

This would suggest that there's an issue with the session cookie you're passing in. loadSealedSession doesn't do any validation of the session, instead acting as a constructor. The validity of the session is only checked if you call session.authenticate() or session.getLogoutUrl() (which internally also calls session.authenticate().

You'd get that error if either the session can't be decrypted (possibly due to providing the wrong password) or if the resulting unencrypted data lacks an access token.

PaulAsjes avatar Nov 20 '24 08:11 PaulAsjes