fix(auth): remove a nil pointer dereference BE-12149 (#1014)

2025-08-13 13:20:56 -03:00 · 2025-08-13 13:20:56 -03:00 · 7f167ff2fc
parent 3ade5cdf19
commit 7f167ff2fc
2 changed files with 56 additions and 2 deletions
--- a/api/http/handler/auth/logout.go
+++ b/api/http/handler/auth/logout.go
@ -26,11 +26,10 @@ func (handler *Handler) logout(w http.ResponseWriter, r *http.Request) *httperro
 		handler.KubernetesTokenCacheManager.RemoveUserFromCache(tokenData.ID)
 		handler.KubernetesClientFactory.ClearUserClientCache(strconv.Itoa(int(tokenData.ID)))
 		logoutcontext.Cancel(tokenData.Token)
+		handler.bouncer.RevokeJWT(tokenData.Token)
 	}

 	security.RemoveAuthCookie(w)

-	handler.bouncer.RevokeJWT(tokenData.Token)
-
 	return response.Empty(w)
 }
--- a/api/http/handler/auth/logout_test.go
+++ b/api/http/handler/auth/logout_test.go
@ -0,0 +1,55 @@
+package auth
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/http/proxy/factory/kubernetes"
+	"github.com/portainer/portainer/api/http/security"
+	"github.com/portainer/portainer/api/internal/testhelpers"
+	"github.com/portainer/portainer/api/kubernetes/cli"
+
+	"github.com/stretchr/testify/require"
+)
+
+type mockBouncer struct {
+	security.BouncerService
+}
+
+func NewMockBouncer() *mockBouncer {
+	return &mockBouncer{BouncerService: testhelpers.NewTestRequestBouncer()}
+}
+
+func (*mockBouncer) CookieAuthLookup(r *http.Request) (*portainer.TokenData, error) {
+	return &portainer.TokenData{
+		ID:       1,
+		Username: "testuser",
+		Token:    "valid-token",
+	}, nil
+}
+
+func TestLogout(t *testing.T) {
+	h := NewHandler(NewMockBouncer(), nil, nil, nil)
+	h.KubernetesTokenCacheManager = kubernetes.NewTokenCacheManager()
+	k, err := cli.NewClientFactory(nil, nil, nil, "", "", "")
+	require.NoError(t, err)
+	h.KubernetesClientFactory = k
+
+	rr := httptest.NewRecorder()
+	req := httptest.NewRequest("POST", "/auth/logout", nil)
+
+	h.ServeHTTP(rr, req)
+	require.Equal(t, http.StatusNoContent, rr.Code)
+}
+
+func TestLogoutNoPanic(t *testing.T) {
+	h := NewHandler(testhelpers.NewTestRequestBouncer(), nil, nil, nil)
+
+	rr := httptest.NewRecorder()
+	req := httptest.NewRequest("POST", "/auth/logout", nil)
+
+	h.ServeHTTP(rr, req)
+	require.Equal(t, http.StatusNoContent, rr.Code)
+}