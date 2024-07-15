Error: req#logout requires a callback function

Matthew C. — July 15, 2024

When using the Passport.js library for authenticating requests, you may get the following error:

Error: req#logout requires a callback function

If you’re using Passport.js version 0.6.0+, calling the logout() method synchronously will cause this error:

app.post("/logout", (req, res, next) => {
  req.logout();
  res.redirect("/");
});

As of version 0.6.0, the logout() method is asynchronous to protect against session fixation attacks. A session fixation attack can only occur if a session ID is “fixed” at the time it is generated. The attacker also needs physical access to the same computer as the victim, unless the app has other security issues such as Cross-Site Scripting (XSS) vulnerabilities or accepting session IDs in URL parameters. The Passport.js version 0.6.0 release fixes the vulnerability by regenerating the session when a user logs in or out, which results in a new session ID.

The Solution

The Passport.js logout() method should have a callback function added as an argument if you are using version 0.6.0+: