Heroku "returnTo" querystring parameter error on logout using Auth0
Question
I am using Heroku and have deployed mostly successfully. The logout has me really stumped. According to docs I should be passing a url like,
https://xxxxauth0tennantxxxx/v2/logout or https://YOUR_DOMAIN/v2/logout?returnTo=http%3A%2F%2Fwww.example.com
When I do, I get OK back. But I am using the below code from the Auth0 docs which builds the url including the port number.
router.get('/logout', (req, res) => {
req.logOut();
let returnTo = req.protocol + '://' + req.hostname;
const port = req.connection.localPort;
if (port !== undefined && port !== 80 && port !== 443) {
returnTo += ':' + port;
}
const logoutURL = new url.URL(
util.format('https://%s/v2/logout', process.env.AUTH0_DOMAIN),
);
const searchString = querystring.stringify({
client_id: process.env.AUTH0_CLIENT_ID,
returnTo: returnTo,
});
logoutURL.search = searchString;
res.redirect(logoutURL);
});
Heroku automatically assigns a port however so therefore everytime I try to logout I am met with an error of The "returnTo" querystring parameter "http://xxxxx.herokuapp.com:12345" is not defined as a valid URL in "Allowed Logout URLs".
I have tried to add every variant allowed logout url I can try but with no luck http://localhost:8000,http://*.herokuapp.com,https://*.auth0.com/v2/logout,https://*.auth0.com/,https://xxxxxxx.auth0.com I even tried setting app.set('trust proxy', 1); as some docs suggest for Heroku.
Please, how can I account for the dynamic port heroku assigns in my logout url?
Edit: I have tried this variant of the endpoint too
And I have tried to edit the endpoint call as
router.get('/logout', (req, res) => {
let returnTo = req.protocol + '://' + req.hostname;
const port = req.connection.localPort;
if (port !== undefined && port !== 80 && port !== 443) {
returnTo = process.env.NODE_ENV === 'production' ? `${returnTo}/` : `${returnTo}:${port}/`;
}
req.logout();
if (req.session) {
req.session.destroy(function(err) {
if (err) {
console.log(err);
}
console.log('Destroyed the user session on Auth0 endpoint');
res.redirect(req.protocol + '://' + process.env.AUTH0_DOMAIN + '/v2/logout?client_id=' + process.env.AUTH0_CLIENT_ID + '&returnTo=' + returnTo +' ');
});
}
});
2 answers
solution1
0 2019-12-23 11:02:56
As the error message indicates, you need to add the http://xxxxx.herokuapp.com:12345 to the Allowed Logout URLs in your application settings. Replace XXXXX with heroku app name and include the port number as well.
solution2
0 ACCPTED 2019-12-24 21:49:52
Finally, I just removed the port when building the url and voila, logged out and redirected to home page.
router.get('/logout', (req, res) => {
let returnTo = req.protocol + '://' + req.hostname;
const port = req.connection.localPort;
if (port !== undefined && port !== 80 && port !== 443) {
returnTo = process.env.NODE_ENV === 'production' ? `${returnTo}/` : `${returnTo}`;
}
req.logout();
if (req.session) {
req.session.destroy(function(err) {
if (err) {
console.log(err);
}
console.log('Destroyed the user session on Auth0 endpoint');
const logoutURL = new url.URL(
util.format('https://%s/v2/logout', process.env.AUTH0_DOMAIN),
);
const searchString = querystring.stringify({
client_id: process.env.AUTH0_CLIENT_ID,
returnTo: returnTo,
});
logoutURL.search = searchString;
res.redirect(logoutURL);
});
}
});
What a difference some rest does for tired eyes, there is so much (excellent) documentation, it's just very confusing and overwhelming but I think I got it now. Now to check all is secure and safe to use.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.