parse-community · dblythy · Mar 18, 2021 · Mar 18, 2021
diff --git a/spec/ParseUser.spec.js b/spec/ParseUser.spec.js
@@ -3860,6 +3860,28 @@ describe('Parse.User testing', () => {
  });
  });
 
+ it('can logout with expired session token', async () => {
+ await Parse.User.signUp('asdf', 'zxcv');
+ const sessionQuery = new Parse.Query(Parse.Session);
+ const session = await sessionQuery.first({ useMasterKey: true });
+ const database = Config.get(Parse.applicationId).database;
+ await database.update(
+ '_Session',
+ { objectId: session.id },
+ { expiresAt: new Date().setFullYear(2010) },
+ {}
+ );
+ await Parse.User.logOut();
+ });
+
+ it('can logout with invalid session token', async () => {
+ await Parse.User.signUp('asdf', 'zxcv');
+ const sessionQuery = new Parse.Query(Parse.Session);
+ const session = await sessionQuery.first({ useMasterKey: true });
+ await session.destroy({ useMasterKey: true });
+ await Parse.User.logOut();
+ });
+
  it('does not duplicate session when logging in multiple times #3451', done => {
  const user = new Parse.User();
  user

diff --git a/src/middlewares.js b/src/middlewares.js
@@ -220,6 +220,9 @@ export function handleParseHeaders(req, res, next) {
  return Promise.resolve()
  .then(() => {
  // handle the upgradeToRevocableSession path on it's own
+ if (req.url === '/logout') {
+ return Promise.resolve();
+ }
  if (
  info.sessionToken &&
  req.url === '/upgradeToRevocableSession' &&
@@ -241,8 +244,8 @@ export function handleParseHeaders(req, res, next) {
  .then(auth => {
  if (auth) {
  req.auth = auth;
- next();
  }
+ next();
  })
  .catch(error => {
  if (error instanceof Parse.Error) {