Skip to content

fix: fail-safe robustness nits in logout handler and require-auth#27

Draft
frederikprijck wants to merge 1 commit into
fix/sdk-4-sanitize-handler-errorsfrom
fix/sdk-9-fail-safe-nits
Draft

fix: fail-safe robustness nits in logout handler and require-auth#27
frederikprijck wants to merge 1 commit into
fix/sdk-4-sanitize-handler-errorsfrom
fix/sdk-9-fail-safe-nits

Conversation

@frederikprijck

@frederikprijck frederikprijck commented Jul 9, 2026

Copy link
Copy Markdown
Member

Stacked on #SDK-4 (fix/sdk-4-sanitize-handler-errors) — shares the backchannel handler file. Merge after SDK-4, then this PR's base auto-retargets to main. The diff here shows only the SDK-9 changes.

Changes

  • backchannel-logout-handler.ts — read req.body?.logout_token inside the try with optional chaining, so a missing body parser yields the intended 400 instead of a TypeError/500.
  • require-auth.ts (auth0-express-api) — return next(new Error(...)) instead of throw, so a missing ApiClient reaches Express error middleware on Express 4 rather than becoming an unhandled rejection. Fails closed either way.

Tests

New require-auth.spec.ts covers the missing-ApiClient branch (asserts next(Error) called, no response written). New backchannel test covers the no-body-parser → 400 path.

- backchannel-logout: read req.body?.logout_token inside try so a missing
  body parser yields the intended 400 instead of a TypeError/500.
- require-auth: return next(err) instead of throwing, so a missing ApiClient
  reaches Express error middleware on Express 4 (no unhandled rejection).

SECURITY: SDK-9 — fail-safe hardening (CWE-248).
@frederikprijck frederikprijck marked this pull request as draft July 9, 2026 18:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant