Race condition on logout can prevent logout from Auth0 session

[athrawes]

Hello,

I've just encountered a race condition in the user logout flow where when a user hits the Logout button, the user can be redirected to the Auth0 login screen before they fully complete the Auth0 logout flow.

This causes Auth0 to believe the user is still logged in and redirect the user to the configured loginRedirectUri in a logged-in state, despite the user clicking the Logout button.

This can happen if checkAuth is called before the redirect in logout completes when redirectWhenCheckAuth = true (default).

Basically, there is the possibility for the flow to look something like this:

logout                                      checkAuth
------------------------------------------  -----------------------------------------------------------------------------
| `logout()` called                         |
| -> Auth0 tokens in LocalStorage cleared   |
| -> Redirect to Auth0 /v2/logout starts    |
|                                           | `checkAuth()` called (e.g. resource starts loading in background)
|                                           | -> client.isAuthorized() fails (no local Auth0 tokens)
|                                           | -> client.loginWithRedirect() called
| (redirect cancelled)                      | -> Redirect to Auth0 /authorize starts and completes
|                                           | -> Auth0 /authorize sees a valid session, redirects to local /auth-callback
|                                           | -> local /auth-callback recieves valid login, redirects to `loginRedirectUri`

I believe this should be something we could easily replicate in the quickstart by adding an artificial delay to the redirect in the Auth Provider.

// App.tsx

const auth0 = new Auth0Client({ ... });

const authProvider = Auth0AuthProvider(auth0, { ... });

// Override to simulate /v2/logout endpoint taking a long time; largely taken from
// https://github.com/marmelab/ra-auth-auth0/blob/main/packages/ra-auth-auth0/src/authProvider.ts#L80
// but provides an override for `openUrl` to introduce an artificial delay
authProvider.logout = () => {
  auth0.logout({
    openUrl: (url: string) => {
      setTimeout(() => window.location.assign(url), 30000); // arbitrary delay time
    },
    logoutParams: {
      returnTo: import.meta.env.VITE_LOGOUT_REDIRECT_URL || window.location.origin,
    },
  });

  return false;
};

const App = () => {
    // ...
    return (
        <BrowserRouter>
            <Admin
                authProvider={authProvider}
                dataProvider={jsonServerProvider(
                    'http://localhost:3000',
                    httpClient(auth0)
                )}
                // ...

Running my application with an artificial delay, I'm able to pretty consistently trigger this behavior by clicking on the Logout button, and then interacting with the user menu before the delay time expires.

Without this delay, it is very hit/miss on whether you'd encounter this in the wild; maybe one in a hundred requests? This would be very dependent on the load on Auth0's end, but it occurs often enough that my users have noticed this and complained 🤷

I'm currently using

• react-admin ^5.2
• ra-auth-auth0 ^2.0