Skip to content

Fix: Safely handle missing session data on redirect#33

Open
ba2slk wants to merge 1 commit intoAzure-Samples:mainfrom
ba2slk:bugfix/graceful-redirection
Open

Fix: Safely handle missing session data on redirect#33
ba2slk wants to merge 1 commit intoAzure-Samples:mainfrom
ba2slk:bugfix/graceful-redirection

Conversation

@ba2slk
Copy link

@ba2slk ba2slk commented Aug 30, 2025

Purpose

Problem

  • The previous code would crash the server when it attempted to access req.session.pkceCodes.verifier after the redirect, leading to a 'net::ERR_CONNECTION_RESET' error in the browser.

Solution

  • Added a guard clause to the handleRedirect method to prevent a TypeError that occurred when the session data was lost.
  • The new code checks if the necessary session data is available. If it's missing, it gracefully redirects the user to the home page, allowing them to restart the login flow without causing a server crash.

Does this introduce a breaking change?

[ ] Yes
[x] No

Pull Request Type

What kind of change does this Pull Request introduce?

[x] Bugfix
[ ] Feature
[ ] Code style update (formatting, local variables)
[ ] Refactoring (no functional changes, no api changes)
[ ] Documentation content changes
[ ] Other... Please describe:

How to Test

  • Get the code
git clone https://github.com/ba2slk/ms-identity-node.git
cd ms-identity-node
git checkout bugfix/graceful-redirection
cd App
npm install
  • Test the code

Manual Test

  1. Set up your environment by creating a .env.dev file with valid credentials:
CLIENT_ID=[Your Application (client) ID]
CLIENT_SECRET=[Your Client Secret]
REDIRECT_URI=[Your Redirect URI, e.g., http://localhost:3000/redirect]
EXPRESS_SESSION_SECRET=[A long, random string]
  1. Start the server and access http://localhost:3000/.
  2. Click the "Login" button and complete the Microsoft sign-in process.

Verify the Fix:
Before the fix, the server would crash with a TypeError after a successful login redirect because req.session.pkceCodes was undefined.

After applying the guard clause, the server should no longer crash. Instead, it should gracefully redirect you to the main page (/), allowing the login flow to complete successfully.

What to Check

Verify that the following are valid:

  • The server does not crash with a TypeError.
  • The user is redirected to the main page (/) after a successful login.

Other Information

@ba2slk
Fix: Safely handle missing session data on redirect
3826b9a 
Added a guard clause to the `handleRedirect` method to prevent a `TypeError` that occurred when the session data was lost.
The previous code would crash the server when it attempted to access `req.session.pkceCodes.verifier` after the redirect, leading to a 'net::ERR_CONNECTION_RESET' error in the browser.
The new code checks if the necessary session data is available. If it's missing, it gracefully redirects the user to the home page, allowing them to restart the login flow without causing a server crash.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ba2slk