[Bug]: Self Service Account Session Revocation Fails

[jobannon]

What happened?

Setup 1. Establish a Account session by logging in to https://local.fusionauth.io/account/?client_id=

2. Wait for the AT duration to expire for this Self Service Account Management Session. The AT session setting is set on the jwt tab for the Tenant or overridden on the application level under the same jwt tab
3. Attempt to revoke the Self Service Account Session by calling https://local.fusionauth.io/account/logout?client_id=<client(same)>
4. Observe a 500 error.

Other consequences

The following occurs when the Account Pages Remove a session

1. Call GET - https://local.fusionauth.io/account/logout?client_id=<client>
   a. This kills the Self Service Account Session
2. The next step is a call to GET - oauth2/logout?clientId=<client>
   a. This allows the integrator to remove the SSO session as well as any backend sessions in accordance with this doc.

So functionally, a call to logout of the Account Pages is a call to remove both the Account Session and other related OAuth Sessions. Therefore, when 500 error occurs the user might not successfully revoke the Account Self Service Session (step 1) as well as the sessionss linked to the oauth workflows (step 2)

Workarounds

You can set a super long duration for the AT - this has security consequences/tradeoffs that you may not want to allow.

Version

1.55.1

Affects Versions

No response

[jon-at-advarra]

Adding more details on this bug; the following error is logged to the FA server log:

======================
Full classname legend:
======================
LogoutAction:         "io.fusionauth.app.action.account.LogoutAction"
========================
End of classname legend:
========================

	at com.google.inject.internal.InternalProvisionException.toProvisionException(InternalProvisionException.java:251)
	at com.google.inject.internal.InjectorImpl$1.get(InjectorImpl.java:1151)
	at com.google.inject.internal.InjectorImpl.getInstance(InjectorImpl.java:1186)
	at org.primeframework.mvc.action.DefaultActionMapper.map(DefaultActionMapper.java:61)
	at org.primeframework.mvc.action.DefaultActionMappingWorkflow.perform(DefaultActionMappingWorkflow.java:80)
	at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:50)
	at org.primeframework.mvc.security.DefaultSavedRequestWorkflow.perform(DefaultSavedRequestWorkflow.java:65)
	at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:50)
	at org.primeframework.mvc.cors.CORSRequestWorkflow.perform(CORSRequestWorkflow.java:68)
	at org.primeframework.mvc.workflow.SubWorkflowChain.continueWorkflow(SubWorkflowChain.java:50)
	at org.primeframework.mvc.workflow.DefaultMVCWorkflow.perform(DefaultMVCWorkflow.java:108)
	at org.primeframework.mvc.PrimeMVCRequestHandler.handle(PrimeMVCRequestHandler.java:73)
	at io.fusionauth.http.server.HTTPWorker.run(HTTPWorker.java:50)
	at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:572)
	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:317)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1144)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:642)
	at java.base/java.lang.Thread.run(Thread.java:1583)
Caused by: java.lang.NullPointerException: null
2025-02-27 05:47:43.610 AM ERROR org.primeframework.mvc.PrimeMVCRequestHandler - Error encountered
java.lang.NullPointerException: null
2025-02-27 05:48:23.446 AM ERROR io.fusionauth.app.primeframework.error.ExceptionExceptionHandler - An unhandled exception was thrown
com.google.inject.ProvisionException: Unable to provision, see the following errors:

1) [Guice/ErrorInjectingConstructor]: NullPointerException
  at LogoutAction.<init>(LogoutAction.java:22)
  while locating LogoutAction

Learn more:
  https://github.com/google/guice/wiki/ERROR_INJECTING_CONSTRUCTOR

1 error