From 8600c41408d35fa871b2223a88953b8521c54c34 Mon Sep 17 00:00:00 2001
From: Jared Perreault <90656038+jaredperreault-okta@users.noreply.github.com>
Date: Tue, 30 Nov 2021 10:54:52 -0500
Subject: [PATCH] fix: invoking logout without credentials no longer throws
 error

---
 src/logout.js            |  4 ++++
 test/unit/logout.spec.js | 11 ++++++++++-
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/src/logout.js b/src/logout.js
index 9520a4a..f786ba1 100644
--- a/src/logout.js
+++ b/src/logout.js
@@ -55,6 +55,10 @@ logout.forceLogoutAndRevoke = context => {
   }
   const revokeToken = makeTokenRevoker({ issuer, client_id, client_secret, errorHandler: makeErrorHandler(emitter) });
   return async (req, res /*, next */) => {
+    if (!req.userContext) {
+      return res.sendStatus(401);
+    }
+
     const tokens = req.userContext.tokens;
     const revokeIfExists = token_hint => tokens[token_hint] ? revokeToken({token_hint, token: tokens[token_hint]}) : null;
     const revokes = REVOKABLE_TOKENS.map( revokeIfExists );
diff --git a/test/unit/logout.spec.js b/test/unit/logout.spec.js
index cec7c4c..51ac805 100644
--- a/test/unit/logout.spec.js
+++ b/test/unit/logout.spec.js
@@ -73,7 +73,16 @@ describe('logout', () => {
         };
       });
     
-    
+      describe('logout without active session', () => {
+        it('returns 401', async () => {
+          res.sendStatus = jest.fn();
+          req.userContext = undefined;
+          await logout(req, res);
+          expect(fetch).not.toHaveBeenCalled();
+          expect(res.sendStatus).toHaveBeenCalledWith(401);
+        });
+      });
+
       describe('revoke tokens', () => {
         it('revokes refresh_token', async () => {
           const tokenVal = 'sometoken';