Error: req#logout requires a callback function
Matthew C.
—The Problem
When using the Passport.js library for authenticating requests, you may get the following error:
Error: req#logout requires a callback function
If you’re using Passport.js version 0.6.0+, calling the logout() method synchronously will cause this error:
app.post("/logout", (req, res, next) => { req.logout(); res.redirect("/"); });
As of version 0.6.0, the logout() method is asynchronous to protect against session fixation attacks. A session fixation attack can only occur if a session ID is “fixed” at the time it is generated. The attacker also needs physical access to the same computer as the victim, unless the app has other security issues such as Cross-Site Scripting (XSS) vulnerabilities or accepting session IDs in URL parameters. The Passport.js version 0.6.0 release fixes the vulnerability by regenerating the session when a user logs in or out, which results in a new session ID.
The Solution
The Passport.js logout() method should have a callback function added as an argument if you are using version 0.6.0+:
app.post("/logout", (req, res, next) => { req.logout((err) => { if (err) { return next(err); } res.redirect("/"); }); });
- SentryWorkshop: Debugging your Node.js Project With Sentry
- Syntax.fmListen to the Syntax Podcast
- Community SeriesIdentify, Trace, and Fix Endpoint Regression Issues
- ResourcesBackend Error Monitoring 101
- Listen to the Syntax Podcast
![Syntax.fm logo]()
Tasty treats for web developers brought to you by Sentry. Get tips and tricks from Wes Bos and Scott Tolinski.
SEE EPISODES
Considered “not bad” by 4 million developers and more than 100,000 organizations worldwide, Sentry provides code-level observability to many of the world’s best-known companies like Disney, Peloton, Cloudflare, Eventbrite, Slack, Supercell, and Rockstar Games. Each month we process billions of exceptions from the most popular products on the internet.