Fix OIDC callback dead-ending on "No session"

When the express-session holding the OIDC transaction is missing at
/auth/openid/callback (e.g. the in-memory session store was cleared by a
server restart, or the callback page was reloaded), the server returned a
bare 400 "No session" white screen and the flow could not recover until the
user manually cleared their cookies.

Instead, destroy the stale session and clear the connect.sid cookie so the
next attempt starts clean, then redirect web clients back to /login to
restart the flow. Mobile/API clients (identified by the client-supplied
code_verifier) still receive the 400 status they expect.
This commit is contained in:
Alex Cortelyou 2026-07-02 20:57:30 -07:00
parent 6f03467f35
commit b37cc9e4ce

View file

@ -385,7 +385,13 @@ class Auth {
const sessionKey = this.oidcAuthStrategy.getStrategy()._key
if (!req.session[sessionKey]) {
return res.status(400).send('No session')
Logger.warn(`[Auth] No openid session found in callback - restarting login`)
const isMobileFlow = !!req.query.code_verifier
return req.session.destroy(() => {
res.clearCookie('connect.sid')
if (isMobileFlow) return res.status(400).send('No session')
res.redirect(`/login?error=${encodeURIComponent('Login session expired, please try again')}&autoLaunch=0`)
})
}
// If the client sends us a code_verifier, we will tell passport to use this to send this in the token request