Keycloak node.js adapter doesn't invalidate connect.sid session cookie on logout

Question

Node.js keycloak-nodejs-connect adapter (version 4.3) is used in an application gateway for protecting microservices' endpoints according to docs:

var session = require('express-session');
var Keycloak = require('keycloak-connect');

var memoryStore = new session.MemoryStore();
var keycloak = new Keycloak({ store: memoryStore });

However, after a user log in/ log out flow, connect.sid cookie originating from express-session is still stored inside browser. It causes unexpected issues if another user logs in via the same browser afterwards.

How to clear connect.sid express-session cookie correctly?

Overriding adapter's session store code by adding response.clearCookie('connect.sid', { path: '/' }); to unstore function helped. However, it seems too complicated:

    var SessionStore = require('keycloak-connect/stores/session-store');

    let store = (grant) => {
        return (request, response) => {
          request.session[SessionStore.TOKEN_KEY] = grant.__raw;
        };
    };

    let unstore = (request, response) => {
        delete request.session[SessionStore.TOKEN_KEY];
        response.clearCookie('connect.sid', { path: '/' });
    };

    SessionStore.prototype.wrap = (grant) => {
        if (grant) {
          grant.store = store(grant);
          grant.unstore = unstore;
        }
    };

Does some keycloak adapter or express-session configuration achieve the goal better?

Answer 1

Your thinking is correct, I'm not sure overriding Keycloak's unstore method is the best way to go about it though (might mess things up if you upgrade Keycloak, or if you want to use unstoreGrant to remove just the grant, but keep the rest of the session).

A better approach would be to create a new middleware that triggers on your logout route:

app.use('/logout', (req, res, next) => {
  req.session.destroy();
  res.clearCookie('connect.sid', { path: '/' });
  res.redirect(keycloak.logoutUrl()); // optional
});