edge case for allowed_logout_urls (#97)

yangwang-okta · web-flow · commit 0216032c83b0 · 2026-03-18T13:31:51.000+11:00
diff --git a/analyzer/lib/clients/checkAllowedLogoutUrl.js b/analyzer/lib/clients/checkAllowedLogoutUrl.js
@@ -77,6 +77,11 @@ function checkURLsForApp(app) {
     return report;
   }
   allowed_logout_urls.forEach((url) => {
+    if (!url) {
+      // Skip null/undefined/empty URLs and log warning
+      console.warn(`[WARNING] App "${app.name}" (${app.client_id}) has null/undefined URL in allowed_logout_urls`);
+      return;
+    }
     const subArr = insecurePatterns.filter((str) => url.includes(str));
     if (subArr.length > 0) {
       report.push({
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@auth0/auth0-checkmate",
-  "version": "1.6.14",
+  "version": "1.6.15",
   "description": "A command line tool for checking configuration of your Auth0 tenant",
   "main": "analyzer/report.js",
   "scripts": {
diff --git a/tests/clients/checkAllowedLogoutUrl.test.js b/tests/clients/checkAllowedLogoutUrl.test.js
@@ -146,4 +146,47 @@ describe("checkAllowedLogoutUrl", function () {
       ]);
     });
   });
+
+  it("should handle null/undefined URLs in allowed_logout_urls array without crashing", function () {
+    const options = {
+      clients: [
+        {
+          name: "Test App with Null URLs",
+          client_id: "client_with_null",
+          allowed_logout_urls: ["https://contoso.com", null, "http://localhost:3000", undefined], // Contains null and undefined
+          app_type: "spa",
+          is_first_party: false,
+        },
+      ],
+    };
+
+    checkAllowedLogoutUrl(options, (reports) => {
+      // Should only process valid URLs and skip null/undefined
+      expect(reports).to.deep.equal([
+        {
+          name: "Test App with Null URLs (client_with_null)",
+          report: [
+            {
+              name: "Test App with Null URLs (client_with_null)",
+              client_id: "client_with_null",
+              field: "insecure_allowed_logout_urls",
+              value: "http://localhost:3000",
+              status: CONSTANTS.FAIL,
+              app_type: "spa",
+              is_first_party: false,
+            },
+            {
+              name: "Test App with Null URLs (client_with_null)",
+              client_id: "client_with_null",
+              field: "secure_allowed_logout_urls",
+              status: CONSTANTS.SUCCESS,
+              value: "https://contoso.com",
+              app_type: "spa",
+              is_first_party: false,
+            },
+          ],
+        },
+      ]);
+    });
+  });
 });

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "@auth0/auth0-checkmate",`
`3`		`- "version": "1.6.14",`
	`3`	`+ "version": "1.6.15",`
`4`	`4`	`"description": "A command line tool for checking configuration of your Auth0 tenant",`
`5`	`5`	`"main": "analyzer/report.js",`
`6`	`6`	`"scripts": {`