fix(jwt): _sessionDestroyJwt must invoke completion callback on all paths#33
Merged
Conversation
…aths
`addLogoutHandler` passes a `location.href = '/'` callback to
`sessionDestroy` expecting it to fire after logout completes.
HMAC sessionDestroy invokes the callback on both success and error
paths of its delete('Session', ...) call. JWT mode's equivalent
_sessionDestroyJwt was missing the invocation in two places:
- success handler of POST /jwt/logout
- early return when !refreshToken (already-logged-out case)
Symptom: in JWT mode the redirect never fired. User clicks logout,
tokens get cleared and revoked server-side, but they stay on the
post-logout page — looking "still logged in."
Fix: invoke the completion callback on all three exit paths,
matching the HMAC contract. Renamed nothing (the misleading
`error` parameter name is preserved for API compatibility, with
a comment clarifying it's actually a completion callback).
Regression tests: three new tests in tests/kyte.test.js cover
each exit path with mocked $.ajax, asserting both the callback
invocation and the token-clear side effect. Bumps to 2.0.1
(patch).
All 14 tests pass.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
_sessionDestroyJwtforgot to invoke the user-supplied completion callback on success + early-return paths.addLogoutHandlerputs the redirect in that callback.Fix
_sessionDestroyJwtnow invokes the callback on all three exit paths (success, error, no-refresh-token early return) — matches HMAC contract.Test plan
tests/kyte.test.js, one per exit path$.ajax, asserts callback fires + tokens clearedPatch bump to v2.0.1.
🤖 Generated with Claude Code