feat: Allow logout with invalid session token

[dblythy]

Pull Request

• Report security issues confidentially.
• Any contribution is under this license.
• Link this pull request to an issue.

Issue

Currently, if trying to logout with an invalid session token, you will need to catch the error, and call logout again. It can be a bit tedious.

Closes: #307

Approach

Improves clearing session by allowing Parse.User.logOut({ clearSession: true }), which resolves even if invalid session token is returned.

Tasks

• Add tests

Summary by CodeRabbit

• New Features

  • Added an optional setting to the logout process that allows users to specify whether to clear their session if the session token is invalid.

• Bug Fixes

  • Improved handling of invalid session tokens during logout, preventing unnecessary errors when the new session clearing option is enabled.

• Tests

  • Introduced new test cases to verify logout behavior with the session clearing option and invalid session tokens.

• Documentation

  • Updated documentation to reflect the new logout option and its behavior.

[parse-github-assistant]

I will reformat the title to use the proper commit message syntax.

[parse-github-assistant]

Thanks for opening this pull request!

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 100.00%. Comparing base (7a89342) to head (f412d7f).

Additional details and impacted files

@@            Coverage Diff            @@
##             alpha     #1803   +/-   ##
=========================================
  Coverage   100.00%   100.00%           
=========================================
  Files           63        63           
  Lines         6174      6180    +6     
  Branches      1449      1466   +17     
=========================================
+ Hits          6174      6180    +6     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[mtrezza]

Currently, if trying to logout with an invalid session token, you will need to catch the error, and call logout again.

What would be the difference between the first and second logout request? What makes the first fail and the second succeed?

[mtrezza]

@dblythy Friendly ping regarding the previous question. If the 1st logout attempt fails, why does the 2nd attempt (after catching the error) succeed?

[dplewis]

@dblythy We should add this to the server side like parse-community/parse-server#8722 so that it can work for all SDK's

@mtrezza I have no idea why there is a need to call Parse.User.logOut twice when there is a invalid session error to log out. I've been running into this issue a lot while fixing sessionToken invalid issues.

[mtrezza]

Could you please open a separate issue for this?

[dblythy]

@dplewis see parse-community/parse-server#7277 (comment)

[kishanio]

are we still tracking this?

[dplewis]

@dblythy Nice job! Can you fix the merge conflicts?

[dplewis]

@dblythy @mtrezza This is ready to merge

[mtrezza]

I think this needs a better explanation. It's now a rather technical description but not so clear what the purpose of the option is and why / when one should use it.

[dplewis]

What do you recommend we change it to?

[mtrezza]

I don't have a suggestion because I don't understand what the option exactly is for, from a practical perspective.

See #1803 (comment).

[coderabbitai]

📝 Walkthrough

Walkthrough

The changes update the logout functionality to allow an optional clearSession flag in the method signature for logging out a user. This flag enables explicit control over whether to clear the session token when an invalid session token error occurs. Corresponding type declarations and tests are updated to support and verify this new option.

Changes

File(s)	Change Summary
src/CoreManager.ts, types/CoreManager.d.ts	Updated UserController.logOut method signature to accept options?: RequestOptions & { clearSession?: boolean }.
src/ParseUser.ts, types/ParseUser.d.ts	Updated ParseUser.logOut and DefaultController.logOut signatures to accept clearSession option; added related logic.
src/tests/ParseUser-test.js	Added tests for logout with clearSession option and invalid session token handling.

Sequence Diagram(s)

sequenceDiagram
    participant App as Application
    participant ParseUser as ParseUser
    participant Controller as DefaultController
    participant Server as Parse Server

    App->>ParseUser: logOut({ clearSession })
    ParseUser->>Controller: logOut({ clearSession })
    Controller->>Server: Request logout (with sessionToken)
    alt Server returns INVALID_SESSION_TOKEN
        alt clearSession is true
            Controller-->>ParseUser: Suppress error, clear session
        else clearSession is false or undefined
            Controller-->>ParseUser: Propagate INVALID_SESSION_TOKEN error
        end
    else Logout successful
        Controller-->>ParseUser: Success
    end
    ParseUser-->>App: Promise resolved/rejected

Loading

Assessment against linked issues

Objective	Addressed	Explanation
Provide a mechanism to handle INVALID_SESSION_TOKEN errors by allowing session clearing (307)	✅
Update logout API to support explicit session clearing option for invalid session token (307)	✅
Add tests to ensure correct handling of logout with invalid session token and clearSession (307)	✅

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 0

♻️ Duplicate comments (1)

src/ParseUser.ts (1)

815-816: Improve documentation to clarify purpose and use cases

The current documentation is rather technical and doesn't clearly explain when and why a developer would use this option. Consider expanding it to describe practical use cases, such as handling logout during invalid session scenarios without requiring error catching.

🧹 Nitpick comments (2)

types/ParseUser.d.ts (1)

401-403: Method signature matches implementation, but has indentation issue.

The static logOut method signature is properly updated to include the clearSession option, maintaining consistency with other changes.

The indentation is inconsistent with the rest of the file according to ESLint. Adjust to use 2 spaces instead of 4 for proper alignment.

-    static logOut(options?: RequestOptions & {
-        clearSession?: boolean;
-    }): Promise<void>;
+  static logOut(options?: RequestOptions & {
+    clearSession?: boolean;
+  }): Promise<void>;

🧰 Tools

🪛 ESLint

[error] 401-401: Expected indentation of 2 spaces but found 4.

(indent)

src/ParseUser.ts (1)

1212-1218: Remove console.log statement from production code

The console.log statement appears to be left over from debugging and should be removed before merging to production.

const promiseCatch = e => {
-  console.log(e, options);
  if (e.code === ParseError.INVALID_SESSION_TOKEN && options?.clearSession) {
    return;
  }
  throw e;
};

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 7a89342 and f412d7f.

📒 Files selected for processing (5)

• src/CoreManager.ts (1 hunks)
• src/ParseUser.ts (2 hunks)
• src/__tests__/ParseUser-test.js (1 hunks)
• types/CoreManager.d.ts (1 hunks)
• types/ParseUser.d.ts (1 hunks)

🧰 Additional context used

🧬 Code Graph Analysis (4)

types/CoreManager.d.ts (2)

src/RESTController.ts (1)

• RequestOptions (8-21)

types/RESTController.d.ts (1)

• RequestOptions (1-14)

types/ParseUser.d.ts (2)

src/RESTController.ts (1)

• RequestOptions (8-21)

types/RESTController.d.ts (1)

• RequestOptions (1-14)

src/__tests__/ParseUser-test.js (4)

src/__tests__/Storage-test.js (2)

• Storage (277-277)
• CoreManager (6-6)

src/CoreManager.ts (1)

• RESTController (135-145)

types/CoreManager.d.ts (1)

• RESTController (126-130)

src/__tests__/ParseError-test.js (1)

• ParseError (4-4)

src/CoreManager.ts (2)

src/RESTController.ts (1)

• RequestOptions (8-21)

types/RESTController.d.ts (1)

• RequestOptions (1-14)

🪛 ESLint

types/ParseUser.d.ts

[error] 401-401: Expected indentation of 2 spaces but found 4.

(indent)

⏰ Context from checks skipped due to timeout of 90000ms (3)

• GitHub Check: build (Node 20, 20.15.1)
• GitHub Check: build (Node 22, 22.4.1)
• GitHub Check: build (Node 18, 18.20.4)

🔇 Additional comments (9)

src/CoreManager.ts (1)

200-200: Clear and appropriate parameter extension for logout.

Adding the optional clearSession boolean to the logOut method signature in the UserController interface allows for more flexible session handling during logout, particularly when dealing with invalid session tokens.

types/CoreManager.d.ts (1)

181-183: Type declaration matches implementation.

The declaration file correctly reflects the changes made to the UserController interface in the source file, ensuring type safety across the codebase.

types/ParseUser.d.ts (1)

395-396: Clear documentation for the new option.

The JSDoc comment effectively explains the purpose of the clearSession parameter, making it clear for developers how to use this feature.

src/__tests__/ParseUser-test.js (3)

1044-1059: Good test coverage for basic clearSession functionality.

This test case verifies that when clearSession: true is provided, the logout process completes successfully even when the server responds with an invalid session token error.

---

1061-1076: Comprehensive test for clearSession with explicit sessionToken.

This test confirms that the clearSession flag works correctly even when a specific session token is provided in the options, which is important for non-current user logout scenarios.

---

1078-1098: Thorough validation of error handling with clearSession: false.

This test verifies that when clearSession is explicitly set to false, the invalid session token error is properly propagated to the caller, maintaining backward compatibility with existing error handling patterns.

src/ParseUser.ts (3)

821-821: LGTM! Method signature properly updated

The method signature correctly includes the new clearSession optional parameter with appropriate typing.

---

1220-1220: LGTM! Error handling properly implemented

The error handler is correctly applied to handle invalid session token errors when the clearSession option is set.

---

1228-1233: LGTM! Consistent error handling for current user logout

The same error handling approach is consistently applied to the current user logout scenario, ensuring the feature works in both contexts.

[mtrezza]

I understand that with the new option this PR introduces, the session token will be removed if the server returns that it's invalid, but:

• Why would I set this for a specific method instead of as a general option for the whole SDK, i.e. why is this not relevant for other API calls as well?
• If this is an option, why would I want to maintain an invalid session token at all?
• How are other Parse SDKs handling this for comparison?

[parseplatformorg]

🎉 Snyk checks have passed. No issues have been found so far.

✅ security/snyk check is complete. No issues have been found. (View Details)