ISSUE #5373 destroy the session if we failed to authenticate the user

Author: carmenfan

backend/src/v5/middleware/sso/frontegg.js

@@ -22,6 +22,7 @@ const { getUserByEmail, updateUserId } = require('../../models/users');
 const { redirectWithError, setSessionInfo } = require('.');
 const { addPkceProtection } = require('./pkce');
 const { createNewUserRecord } = require('../../processors/users');
+const { destroySession } = require('../../utils/sessions');
 const { errorCodes } = require('../../services/sso/sso.constants');
 const { logger } = require('../../utils/logger');
 const { respond } = require('../../utils/responder');
@@ -46,7 +47,9 @@ const checkStateIsValid = async (req, res, next) => {
 		const response = codeExists(err.code) ? err
 			: createResponseCode(templates.invalidArguments, 'state is required and must be a valid encoded JSON');
 
-		respond(req, res, response);
+		destroySession(req.session, res, () => {
+			respond(req, res, response);
+		});
 	}
 };
 

backend/src/v5/utils/sessions.js

@@ -20,9 +20,9 @@ const { cookie, cookie_domain } = require('./config');
 const { escapeRegexChrs, getURLDomain } = require('./helper/strings');
 const { deleteIfUndefined } = require('./helper/objects');
 const { events } = require('../services/eventsManager/eventsManager.constants');
-const { validateAndRefreshToken } = require('../services/sso/frontegg');
 const { publish } = require('../services/eventsManager/eventsManager');
 const { v4Path } = require('../../interop');
+const { validateAndRefreshToken } = require('../services/sso/frontegg');
 
 // FIXME: can remove the disable once we migrated config
 // eslint-disable-next-line