Skip to content

fix: allow signOut to work outside middleware coverage #296

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Aug 29, 2025
Merged

fix: allow signOut to work outside middleware coverage #296

merged 1 commit into from
Aug 29, 2025

Conversation

nicknisi
Copy link
Member

Summary

This PR fixes issue #261 by enabling signOut() to function when called from routes not covered by the AuthKit middleware.

Problem

Previously, when users implemented custom middleware (as documented), the signOut() function would fail because it relied on withAuth() which requires the AuthKit middleware to be running. This meant users could only clear the local session cookie but couldn't properly log out from the WorkOS domain.

Solution

  • Falls back to reading the session directly from the cookie when withAuth() throws
  • Extracts the session ID from the access token in the cookie
  • Maintains backward compatibility by re-throwing errors when unable to recover
  • Ensures proper logout from WorkOS domain even without middleware

Changes

  • Modified signOut() in src/auth.ts to catch errors from withAuth() and attempt recovery
  • Exported getSessionFromCookie() from src/session.ts for internal use (not publicly exported)
  • Added comprehensive tests for the new behavior

Testing

Added tests to verify:

  • ✅ signOut works with session cookie outside middleware
  • ✅ Original error is thrown when no session exists
  • ✅ Cookie is always deleted, even when errors occur

Fixes #261

@nicknisi
fix: allow signOut to work outside middleware coverage
20452fa 
Fixes #261 by enabling signOut() to function when called from routes
not covered by the AuthKit middleware.

Changes:
- Falls back to reading session directly from cookie when withAuth() throws
- Extracts session ID from access token in the cookie
- Maintains backward compatibility by re-throwing errors when unable to recover
- Ensures proper logout from WorkOS domain even without middleware

This allows users with custom middleware implementations to properly
sign out users, addressing the issue where only the local cookie was
cleared but users remained logged in at the WorkOS domain level.
@nicknisi nicknisi requested a review from a team as a code owner August 28, 2025 20:37
@nicknisi nicknisi requested a review from nholden August 28, 2025 20:37
@nicknisi nicknisi mentioned this pull request Aug 28, 2025
Closed
@nicknisi nicknisi merged commit 4954a3e into main Aug 29, 2025
4 checks passed
@nicknisi nicknisi deleted the nicknisi/signout-outside-middleware branch August 29, 2025 02:05
@nicknisi nicknisi mentioned this pull request Sep 2, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nholden nholden nholden approved these changes

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

signOut() does not work if not using middleware
2 participants
@nicknisi @nholden