From 7f167ff2fca2b59a7d9bcbbbc0e198d6224dcecc Mon Sep 17 00:00:00 2001
From: andres-portainer <91705312+andres-portainer@users.noreply.github.com>
Date: Wed, 13 Aug 2025 13:20:56 -0300
Subject: [PATCH] fix(auth): remove a nil pointer dereference BE-12149 (#1014)

---
 api/http/handler/auth/logout.go      |  3 +-
 api/http/handler/auth/logout_test.go | 55 ++++++++++++++++++++++++++++
 2 files changed, 56 insertions(+), 2 deletions(-)
 create mode 100644 api/http/handler/auth/logout_test.go

diff --git a/api/http/handler/auth/logout.go b/api/http/handler/auth/logout.go
index 73288565d..1119a1482 100644
--- a/api/http/handler/auth/logout.go
+++ b/api/http/handler/auth/logout.go
@@ -26,11 +26,10 @@ func (handler *Handler) logout(w http.ResponseWriter, r *http.Request) *httperro
 		handler.KubernetesTokenCacheManager.RemoveUserFromCache(tokenData.ID)
 		handler.KubernetesClientFactory.ClearUserClientCache(strconv.Itoa(int(tokenData.ID)))
 		logoutcontext.Cancel(tokenData.Token)
+		handler.bouncer.RevokeJWT(tokenData.Token)
 	}
 
 	security.RemoveAuthCookie(w)
 
-	handler.bouncer.RevokeJWT(tokenData.Token)
-
 	return response.Empty(w)
 }
diff --git a/api/http/handler/auth/logout_test.go b/api/http/handler/auth/logout_test.go
new file mode 100644
index 000000000..3a6fa54a3
--- /dev/null
+++ b/api/http/handler/auth/logout_test.go
@@ -0,0 +1,55 @@
+package auth
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/http/proxy/factory/kubernetes"
+	"github.com/portainer/portainer/api/http/security"
+	"github.com/portainer/portainer/api/internal/testhelpers"
+	"github.com/portainer/portainer/api/kubernetes/cli"
+
+	"github.com/stretchr/testify/require"
+)
+
+type mockBouncer struct {
+	security.BouncerService
+}
+
+func NewMockBouncer() *mockBouncer {
+	return &mockBouncer{BouncerService: testhelpers.NewTestRequestBouncer()}
+}
+
+func (*mockBouncer) CookieAuthLookup(r *http.Request) (*portainer.TokenData, error) {
+	return &portainer.TokenData{
+		ID:       1,
+		Username: "testuser",
+		Token:    "valid-token",
+	}, nil
+}
+
+func TestLogout(t *testing.T) {
+	h := NewHandler(NewMockBouncer(), nil, nil, nil)
+	h.KubernetesTokenCacheManager = kubernetes.NewTokenCacheManager()
+	k, err := cli.NewClientFactory(nil, nil, nil, "", "", "")
+	require.NoError(t, err)
+	h.KubernetesClientFactory = k
+
+	rr := httptest.NewRecorder()
+	req := httptest.NewRequest("POST", "/auth/logout", nil)
+
+	h.ServeHTTP(rr, req)
+	require.Equal(t, http.StatusNoContent, rr.Code)
+}
+
+func TestLogoutNoPanic(t *testing.T) {
+	h := NewHandler(testhelpers.NewTestRequestBouncer(), nil, nil, nil)
+
+	rr := httptest.NewRecorder()
+	req := httptest.NewRequest("POST", "/auth/logout", nil)
+
+	h.ServeHTTP(rr, req)
+	require.Equal(t, http.StatusNoContent, rr.Code)
+}