GraphQL Logout mutation w/o X-Parse-Session-Token header causes internal server error

[MichaelJCole]

New Issue Checklist

• I am not disclosing a vulnerability.
• I am not just asking a question.
• I have searched through existing issues.
• I can reproduce the issue with the latest version of Parse Server.

Issue Description

Performing the logout mutation from the documentation, without a session set in the headers, causes the following internal server error:

error: Uncaught internal server error. Cannot read property 'id' of undefined {"stack":"TypeError: Cannot read property 'id' of undefined
    at mutateAndGetPayload (/app/node_modules/parse-server/lib/GraphQL/loaders/usersMutations.js:231:122)
    at resolve (/app/node_modules/graphql-relay/lib/mutation/mutation.js:88:30)
    at field.resolve (/app/node_modules/graphql-extensions/dist/index.js:134:26)
    at field.resolve (/app/node_modules/apollo-server-core/dist/utils/schemaInstrumentation.js:52:26)
    at resolveFieldValueOrError (/app/node_modules/graphql/execution/execute.js:467:18)
    at resolveField (/app/node_modules/graphql/execution/execute.js:434:16)
    at /app/node_modules/graphql/execution/execute.js:244:18
    at /app/node_modules/graphql/jsutils/promiseReduce.js:23:10
    at Array.reduce (<anonymous>)
    at promiseReduce (/app/node_modules/graphql/jsutils/promiseReduce.js:20:17)"}

The throwing code seems to be here.

Steps to reproduce

1. Open the playground
2. Clear session header
3. Run the logout mutation from the docs:

mutation logOut {
        logOut(input: { clientMutationId: "logOut" }) {
          clientMutationId
          viewer {
            user {
              username
              email
            }
          }
        }
      }

Actual Outcome

Error message above

Expected Outcome

Logging out, without a session token should 400, or return empty user data. I don't think it should log or print a stack trace.

Environment

Server side:
"resolutions": {
"graphql": "^14.7.0"
},
"dependencies": {
"dotenv": "^8.2.0",
"express": "^4.17.1",
"graphql": "^14.7.0",
"graphql-tag": "^2.11.0",
"nodemon": "^2.0.6",
"parse-server": "^4.4.0"
}

Server

• Parse Server version: 4.4.0
• Operating system: Ubuntu 20.04
• Local or remote host (AWS, Azure, Google Cloud, Heroku, Digital Ocean, etc): Local

Database

• System (MongoDB or Postgres): MongoDB
• Database version: mongodb-runner start
• Local or remote host (MongoDB Atlas, mLab, AWS, Azure, Google Cloud, etc): Local

Client

• SDK (iOS, Android, JavaScript, PHP, Unity, etc): JavaScript
• SDK version: https://apollo.vuejs.org/

Logs

See error above. VERBOSE=1 didn't show more stuff.

Thank you!

[mtrezza]

Thank you for reporting.

@Moumouls @davimacedo Do you have any suggestion for this GraphQL related issue?

[Moumouls]

Yes it seems that we need to remove viewer from logOut mutation. I think it's nonsense to send a viewer back to the logOut mutation.

@MichaelJCole the quick patch is:

mutation logOutButton {
	logOut(input: { clientMutationId: "logOut" }) {
		clientMutationId
	}
}

I will send a PR to remove viewer from logout mutation

[Moumouls]

PR sent: #7029

[MichaelJCole]

@Moumouls did you try that patch? I tested it in the Playground, and got the same "Error: Internal server error". Anyways, thanks for the fast PR!

[Moumouls]

Yeah after my comment I saw in the code that my patch may be not work on the current version. (logOut code always try to get viewer)

In fact, your only option might be to make sure you have a session token when you call the LogOut @MichaelJCole