From ced94022b35e9cd4eb1724935acd359323d034e6 Mon Sep 17 00:00:00 2001
From: Papapetrou Patroklos <1743100+ppapapetrou76@users.noreply.github.com>
Date: Tue, 6 Jan 2026 16:30:28 +0200
Subject: [PATCH] fix: panic during OIDC logout with empty token (#25874)

Signed-off-by: Patroklos Papapetrou <ppapapetrou76@gmail.com>
---
 server/logout/logout.go      |  9 ++++++---
 server/logout/logout_test.go | 14 ++++++++++++++
 2 files changed, 20 insertions(+), 3 deletions(-)

diff --git a/server/logout/logout.go b/server/logout/logout.go
index 75f017835c..b1e7628972 100644
--- a/server/logout/logout.go
+++ b/server/logout/logout.go
@@ -54,7 +54,6 @@ func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 
 	argoCDSettings, err := h.settingsMgr.GetSettings()
 	if err != nil {
-		w.WriteHeader(http.StatusInternalServerError)
 		http.Error(w, "Failed to retrieve argoCD settings: "+err.Error(), http.StatusInternalServerError)
 		return
 	}
@@ -74,11 +73,15 @@ func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 
 	cookies := r.Cookies()
 	tokenString, err = httputil.JoinCookies(common.AuthCookieName, cookies)
-	if tokenString == "" || err != nil {
-		w.WriteHeader(http.StatusBadRequest)
+	// Build message safely: only include err when non-nil
+	if err != nil {
 		http.Error(w, "Failed to retrieve ArgoCD auth token: "+err.Error(), http.StatusBadRequest)
 		return
 	}
+	if tokenString == "" {
+		http.Error(w, "Failed to retrieve ArgoCD auth token", http.StatusBadRequest)
+		return
+	}
 
 	for _, cookie := range cookies {
 		if !strings.HasPrefix(cookie.Name, common.AuthCookieName) {
diff --git a/server/logout/logout_test.go b/server/logout/logout_test.go
index 42f59f8ca1..a500668a51 100644
--- a/server/logout/logout_test.go
+++ b/server/logout/logout_test.go
@@ -287,6 +287,8 @@ func TestHandlerConstructLogoutURL(t *testing.T) {
 	nonOidcTokenHeader["Cookie"] = []string{"argocd.token=" + nonOidcToken}
 	invalidHeader := make(map[string][]string)
 	invalidHeader["Cookie"] = []string{"argocd.token=" + invalidToken}
+	emptyHeader := make(map[string][]string)
+	emptyHeader["Cookie"] = []string{"argocd.token="}
 	ctx := t.Context()
 
 	oidcRequest, err := http.NewRequestWithContext(ctx, http.MethodGet, "http://localhost:4000/api/logout", http.NoBody)
@@ -302,6 +304,10 @@ func TestHandlerConstructLogoutURL(t *testing.T) {
 	requestWithInvalidToken, err := http.NewRequestWithContext(ctx, http.MethodGet, "http://localhost:4000/api/logout", http.NoBody)
 	require.NoError(t, err)
 	requestWithInvalidToken.Header = invalidHeader
+	requestWithEmptyToken, err := http.NewRequestWithContext(ctx, http.MethodGet, "http://localhost:4000/api/logout", http.NoBody)
+	require.NoError(t, err)
+	requestWithEmptyToken.Header = emptyHeader
+
 	invalidRequest, err := http.NewRequestWithContext(ctx, http.MethodGet, "http://localhost:4000/api/logout", http.NoBody)
 	require.NoError(t, err)
 
@@ -346,6 +352,14 @@ func TestHandlerConstructLogoutURL(t *testing.T) {
 			expectedLogoutURL: expectedNonOIDCLogoutURL,
 			wantErr:           false,
 		},
+		{
+			name:              "Case: Logout request with empty token",
+			handler:           nonoidcHandler,
+			request:           requestWithEmptyToken,
+			responseRecorder:  httptest.NewRecorder(),
+			expectedLogoutURL: expectedNonOIDCLogoutURL,
+			wantErr:           true,
+		},
 		{
 			name:              "Case: Logout request with missing token",
 			handler:           oidcHandler,