fix: panic during OIDC logout with empty token (#25874)

Signed-off-by: Patroklos Papapetrou <ppapapetrou76@gmail.com>
2026-02-20 01:28:45 +01:00 · 2026-01-06 16:30:28 +02:00
parent 4a5d3a79cc
commit ced94022b3
2 changed files with 20 additions and 3 deletions
--- a/server/logout/logout.go
+++ b/server/logout/logout.go
@@ -54,7 +54,6 @@ func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {

 	argoCDSettings, err := h.settingsMgr.GetSettings()
 	if err != nil {
-		w.WriteHeader(http.StatusInternalServerError)
 		http.Error(w, "Failed to retrieve argoCD settings: "+err.Error(), http.StatusInternalServerError)
 		return
 	}
@@ -74,11 +73,15 @@ func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {

 	cookies := r.Cookies()
 	tokenString, err = httputil.JoinCookies(common.AuthCookieName, cookies)
-	if tokenString == "" || err != nil {
-		w.WriteHeader(http.StatusBadRequest)
+	// Build message safely: only include err when non-nil
+	if err != nil {
 		http.Error(w, "Failed to retrieve ArgoCD auth token: "+err.Error(), http.StatusBadRequest)
 		return
 	}
+	if tokenString == "" {
+		http.Error(w, "Failed to retrieve ArgoCD auth token", http.StatusBadRequest)
+		return
+	}

 	for _, cookie := range cookies {
 		if !strings.HasPrefix(cookie.Name, common.AuthCookieName) {
--- a/server/logout/logout_test.go
+++ b/server/logout/logout_test.go
@@ -287,6 +287,8 @@ func TestHandlerConstructLogoutURL(t *testing.T) {
 	nonOidcTokenHeader["Cookie"] = []string{"argocd.token=" + nonOidcToken}
 	invalidHeader := make(map[string][]string)
 	invalidHeader["Cookie"] = []string{"argocd.token=" + invalidToken}
+	emptyHeader := make(map[string][]string)
+	emptyHeader["Cookie"] = []string{"argocd.token="}
 	ctx := t.Context()

 	oidcRequest, err := http.NewRequestWithContext(ctx, http.MethodGet, "http://localhost:4000/api/logout", http.NoBody)
@@ -302,6 +304,10 @@ func TestHandlerConstructLogoutURL(t *testing.T) {
 	requestWithInvalidToken, err := http.NewRequestWithContext(ctx, http.MethodGet, "http://localhost:4000/api/logout", http.NoBody)
 	require.NoError(t, err)
 	requestWithInvalidToken.Header = invalidHeader
+	requestWithEmptyToken, err := http.NewRequestWithContext(ctx, http.MethodGet, "http://localhost:4000/api/logout", http.NoBody)
+	require.NoError(t, err)
+	requestWithEmptyToken.Header = emptyHeader
+
 	invalidRequest, err := http.NewRequestWithContext(ctx, http.MethodGet, "http://localhost:4000/api/logout", http.NoBody)
 	require.NoError(t, err)

@@ -346,6 +352,14 @@ func TestHandlerConstructLogoutURL(t *testing.T) {
 			expectedLogoutURL: expectedNonOIDCLogoutURL,
 			wantErr:           false,
 		},
+		{
+			name:              "Case: Logout request with empty token",
+			handler:           nonoidcHandler,
+			request:           requestWithEmptyToken,
+			responseRecorder:  httptest.NewRecorder(),
+			expectedLogoutURL: expectedNonOIDCLogoutURL,
+			wantErr:           true,
+		},
 		{
 			name:              "Case: Logout request with missing token",
 			handler:           oidcHandler,