From b37cc9e4ceae5daefd758265e5632fc6aad83a89 Mon Sep 17 00:00:00 2001 From: Alex Cortelyou <1689668+acortelyou@users.noreply.github.com> Date: Thu, 2 Jul 2026 20:57:30 -0700 Subject: [PATCH] Fix OIDC callback dead-ending on "No session" When the express-session holding the OIDC transaction is missing at /auth/openid/callback (e.g. the in-memory session store was cleared by a server restart, or the callback page was reloaded), the server returned a bare 400 "No session" white screen and the flow could not recover until the user manually cleared their cookies. Instead, destroy the stale session and clear the connect.sid cookie so the next attempt starts clean, then redirect web clients back to /login to restart the flow. Mobile/API clients (identified by the client-supplied code_verifier) still receive the 400 status they expect. --- server/Auth.js | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/server/Auth.js b/server/Auth.js index f63e84460..17c6cb7fa 100644 --- a/server/Auth.js +++ b/server/Auth.js @@ -385,7 +385,13 @@ class Auth { const sessionKey = this.oidcAuthStrategy.getStrategy()._key if (!req.session[sessionKey]) { - return res.status(400).send('No session') + Logger.warn(`[Auth] No openid session found in callback - restarting login`) + const isMobileFlow = !!req.query.code_verifier + return req.session.destroy(() => { + res.clearCookie('connect.sid') + if (isMobileFlow) return res.status(400).send('No session') + res.redirect(`/login?error=${encodeURIComponent('Login session expired, please try again')}&autoLaunch=0`) + }) } // If the client sends us a code_verifier, we will tell passport to use this to send this in the token request