@igxjs/node-components 1.0.11 → 1.0.13

package/components/session.js

@@ -1,4 +1,8 @@
+import fs from 'node:fs';
+import path from 'node:path';
 import crypto from 'node:crypto';
+import { fileURLToPath } from 'node:url';
+
 import axios from 'axios';
 import session from 'express-session';
 import memStore from 'memorystore';
@@ -7,6 +11,10 @@ import { RedisStore } from 'connect-redis';
 import { CustomError, httpCodes, httpHelper, httpMessages } from './http-handlers.js';
 import { JwtManager } from './jwt.js';
 import { RedisManager } from './redis.js';
+import { Logger } from './logger.js';
+
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = path.dirname(__filename);
 
 /**
  * Session authentication mode constants
@@ -21,13 +29,25 @@ export const SessionMode = {
  */
 export class SessionConfig {
   /** 
-   * @type {string} 
-   * Authentication mode for protected routes
-   * Supported values: SessionMode.SESSION | SessionMode.TOKEN
+   * @type {string} Authentication mode for protected routes
+   * - Supported values: SessionMode.SESSION | SessionMode.TOKEN
    * @default SessionMode.SESSION
    */
   SESSION_MODE;
-  /** @type {string} */
+  /** 
+   * @type {string} Identity Provider microservice endpoint URL
+   * 
+   * This is a fully customized, independent microservice that provides SSO authentication.
+   * The endpoint serves multiple applications and provides the following APIs:
+   * - GET /auth/providers - List supported identity providers
+   * - POST /auth/login/:idp - Generate login URL for specific identity provider
+   * - POST /auth/verify - Verify JWT token validity
+   * - GET /auth/callback/:idp - Validate authentication and return user data
+   * - POST /auth/refresh - Refresh access tokens
+   * 
+   * @example
+   * SSO_ENDPOINT_URL: 'https://idp.example.com/open/api/v1'
+   */
   SSO_ENDPOINT_URL;
   /** @type {string} */
   SSO_CLIENT_ID;
@@ -38,35 +58,69 @@ export class SessionConfig {
   /** @type {string} */
   SSO_FAILURE_URL;
 
-  /** @type {number} */
+  /** @type {number} Session age in milliseconds */
   SESSION_AGE;
-  /** @type {string} */
+  /**
+   * @type {string} Session cookie path
+   * @default '/'
+   */
   SESSION_COOKIE_PATH;
-  /** @type {string} */
+  /** @type {string} Session secret */
   SESSION_SECRET;
-  /** @type {string} */
+  /** 
+   * @type {string} 
+   * @default 'ibmid:'
+   */
   SESSION_PREFIX;
-
-  /** @type {string} */
+  /** 
+   * @type {string} Session key
+   * - In the `SessionMode.SESSION` mode, this is the key used to store the user in the session.
+   * - In the `SessionMode.TOKEN` mode, this is the key of localStorage where the user is stored.
+   * @default 'session_token'
+   */
+  SESSION_KEY;
+  /** 
+   * @type {string} Session expiry key
+   * - In the `SessionMode.TOKEN` mode, this is the key of localStorage where the session expiry timestamp is stored.
+   * @default 'session_expires_at'
+   */
+  SESSION_EXPIRY_KEY;
+  /**
+   * @type {string} Path to custom HTML template for TOKEN mode callback
+   * - Used to customize the redirect page that stores JWT token and expiry in localStorage
+   * - Supports placeholders: {{SESSION_DATA_KEY}}, {{SESSION_DATA_VALUE}}, {{SESSION_EXPIRY_KEY}}, {{SESSION_EXPIRY_VALUE}}, {{SSO_SUCCESS_URL}}, {{SSO_FAILURE_URL}}
+   * - If not provided, uses default template
+   */
+  TOKEN_STORAGE_TEMPLATE_PATH;
+  /** @type {string} Redis URL */
   REDIS_URL;
-  /** @type {string} */
+  /** @type {string} Redis certificate path */
   REDIS_CERT_PATH;
-
-  /** @type {string} */
+  /**
+   * @type {string} Algorithm used to encrypt the JWT
+   * @default 'dir'
+   */
   JWT_ALGORITHM;
-  /** @type {string} */
+  /**
+   * @type {string} Encryption algorithm used to encrypt the JWT
+   * @default 'A256GCM'
+   */
   JWT_ENCRYPTION;
-  /** @type {string} */
-  JWT_EXPIRATION_TIME;
-  /** @type {number} */
+  /**
+   * @type {number} Clock tolerance in seconds
+   * @default 30
+   */
   JWT_CLOCK_TOLERANCE;
-  /** @type {string} */
+  /**
+   * @type {string} Hash algorithm used to hash the JWT secret
+   * @default 'SHA-256'
+   */
   JWT_SECRET_HASH_ALGORITHM;
-  /** @type {string} */
+  /** @type {string?} JWT issuer claim */
   JWT_ISSUER;
-  /** @type {string} */
+  /** @type {string?} JWT audience claim */
   JWT_AUDIENCE;
-  /** @type {string} */
+  /** @type {string?} JWT subject claim */
   JWT_SUBJECT;
 }
 
@@ -81,12 +135,49 @@ export class SessionManager {
   #idpRequest = null;
   /** @type {import('./jwt.js').JwtManager} */
   #jwtManager = null;
+  /** @type {import('./logger.js').Logger} */
+  #logger = Logger.getInstance('SessionManager');
 
   /**
    * Create a new session manager
    * @param {SessionConfig} config Session configuration
+   * @throws {TypeError} If config is not an object
+   * @throws {Error} If required configuration fields are missing
    */
   constructor(config) {
+    // Validate config is an object
+    if (!config || typeof config !== 'object') {
+      throw new TypeError('SessionManager configuration must be an object');
+    }
+
+    // Validate required fields based on SESSION_MODE
+    const mode = config.SESSION_MODE || SessionMode.SESSION;
+    
+    // SESSION_SECRET is always required for both modes
+    if (!config.SESSION_SECRET) {
+      throw new Error('SESSION_SECRET is required for SessionManager');
+    }
+
+    // Validate SSO configuration if SSO endpoints are used
+    if (config.SSO_ENDPOINT_URL) {
+      if (!config.SSO_CLIENT_ID) {
+        throw new Error('SSO_CLIENT_ID is required when SSO_ENDPOINT_URL is provided');
+      }
+      if (!config.SSO_CLIENT_SECRET) {
+        throw new Error('SSO_CLIENT_SECRET is required when SSO_ENDPOINT_URL is provided');
+      }
+    }
+
+    // Validate TOKEN mode specific requirements
+    if (mode === SessionMode.TOKEN) {
+      if (!config.SSO_SUCCESS_URL) {
+        throw new Error('SSO_SUCCESS_URL is required for TOKEN authentication mode');
+      }
+      if (!config.SSO_FAILURE_URL) {
+        throw new Error('SSO_FAILURE_URL is required for TOKEN authentication mode');
+      }
+    }
+
     this.#config = {
       // Session Mode
       SESSION_MODE: config.SESSION_MODE || SessionMode.SESSION,
@@ -95,6 +186,10 @@ export class SessionManager {
       SESSION_COOKIE_PATH: config.SESSION_COOKIE_PATH || '/',
       SESSION_SECRET: config.SESSION_SECRET,
       SESSION_PREFIX: config.SESSION_PREFIX || 'ibmid:',
+      SESSION_KEY: config.SESSION_KEY || 'session_token',
+      SESSION_EXPIRY_KEY: config.SESSION_EXPIRY_KEY || 'session_expires_at',
+      TOKEN_STORAGE_TEMPLATE_PATH: config.TOKEN_STORAGE_TEMPLATE_PATH,
+
       // Identity Provider
       SSO_ENDPOINT_URL: config.SSO_ENDPOINT_URL,
       SSO_CLIENT_ID: config.SSO_CLIENT_ID,
@@ -104,10 +199,10 @@ export class SessionManager {
       // Redis
       REDIS_URL: config.REDIS_URL,
       REDIS_CERT_PATH: config.REDIS_CERT_PATH,
+
       // JWT Manager
       JWT_ALGORITHM: config.JWT_ALGORITHM || 'dir',
       JWT_ENCRYPTION: config.JWT_ENCRYPTION || 'A256GCM',
-      JWT_EXPIRATION_TIME: config.JWT_EXPIRATION_TIME || '10m',
       JWT_CLOCK_TOLERANCE: config.JWT_CLOCK_TOLERANCE ?? 30,
       JWT_SECRET_HASH_ALGORITHM: config.JWT_SECRET_HASH_ALGORITHM || 'SHA-256',
       JWT_ISSUER: config.JWT_ISSUER,
@@ -155,18 +250,18 @@ export class SessionManager {
    * @returns {string} Returns the session key
    */
   #getSessionKey() {
-    return 'user';
+    return this.#config.SESSION_KEY;
   }
 
   /**
    * Get Redis key for token storage
    * @param {string} email User email
-   * @param {string} tokenId Token ID
+   * @param {string} tid Token ID
    * @returns {string} Returns the Redis key for token storage
    * @private
    */
-  #getTokenRedisKey(email, tokenId) {
-    return `${this.#config.SESSION_PREFIX}token:${email}:${tokenId}`;
+  #getTokenRedisKey(email, tid) {
+    return `${this.#config.SESSION_KEY}:t:${email}:${tid}`;
   }
 
   /**
@@ -176,7 +271,7 @@ export class SessionManager {
    * @private
    */
   #getTokenRedisPattern(email) {
-    return `${this.#config.SESSION_PREFIX}token:${email}:*`;
+    return `${this.#config.SESSION_KEY}:t:${email}:*`;
   }
 
   /**
@@ -189,47 +284,54 @@ export class SessionManager {
 
   /**
    * Generate and store JWT token in Redis
-   * @param {object} user User object
+   * - JWT payload contains only { email, tid } for minimal size
+   * - Full user data is stored in Redis as single source of truth
+   * @param {object} user User object with email and attributes
    * @returns {Promise<string>} Returns the generated JWT token
+   * @throws {Error} If JWT encryption fails
+   * @throws {Error} If Redis storage fails
    * @private
+   * @example
+   * const token = await this.#generateAndStoreToken({
+   *   email: 'user@example.com',
+   *   attributes: { /* user data * / }
+   * });
    */
   async #generateAndStoreToken(user) {
     // Generate unique token ID for this device/session
-    const tokenId = crypto.randomUUID();
-    
-    // Create JWT token with email and tokenId
+    const tid = crypto.randomUUID();
+    const ttlSeconds = Math.floor(this.#config.SESSION_AGE / 1000);
+    // Create JWT token with only email and tid (minimal payload)
     const token = await this.#jwtManager.encrypt(
-      { 
-        email: user.email, 
-        tokenId 
-      },
+      { email: user.email, tid },
       this.#config.SESSION_SECRET,
-      { expirationTime: this.#config.JWT_EXPIRATION_TIME }
+      { expirationTime: ttlSeconds }
     );
-    
+
     // Store user data in Redis with TTL
-    const redisKey = this.#getTokenRedisKey(user.email, tokenId);
-    const ttlSeconds = Math.floor(this.#config.SESSION_AGE / 1000);
-    
+    const redisKey = this.#getTokenRedisKey(user.email, tid);
+
     await this.#redisManager.getClient().setEx(
       redisKey,
       ttlSeconds,
       JSON.stringify(user)
     );
-    
-    console.debug(`### TOKEN GENERATED: ${user.email} ###`);
-    
+    this.#logger.debug(`### TOKEN GENERATED: ${user.email} ###`);
     return token;
   }
 
   /**
-   * Verify token authentication
-   * @param {import('@types/express').Request} req Request
-   * @param {import('@types/express').Response} res Response
-   * @param {import('@types/express').NextFunction} next Next function
-   * @param {boolean} isDebugging Debugging flag
-   * @param {string} redirectUrl Redirect URL
+   * Verify token authentication - extracts and validates JWT from Authorization header
+   * @param {import('@types/express').Request} req Request with Authorization header
+   * @param {import('@types/express').Response} res Response object
+   * @param {import('@types/express').NextFunction} next Next middleware function
+   * @param {boolean} isDebugging If true, allows unauthenticated requests
+   * @param {string} redirectUrl URL to redirect to on authentication failure
+   * @throws {CustomError} If token is missing, invalid, or expired
    * @private
+   * @example
+   * // Authorization header format: "Bearer {jwt_token}"
+   * await this.#verifyToken(req, res, next, false, '/login');
    */
   async #verifyToken(req, res, next, isDebugging, redirectUrl) {
     try {
@@ -247,14 +349,14 @@ export class SessionManager {
         this.#config.SESSION_SECRET
       );
 
-      // Extract email and tokenId
-      const { email, tokenId } = payload;
-      if (!email || !tokenId) {
+      // Extract email and token ID
+      const { email, tid } = payload;
+      if (!email || !tid) {
         throw new CustomError(httpCodes.UNAUTHORIZED, 'Invalid token payload');
       }
 
       // Lookup user in Redis
-      const redisKey = this.#getTokenRedisKey(email, tokenId);
+      const redisKey = this.#getTokenRedisKey(email, tid);
       const userData = await this.#redisManager.getClient().get(redisKey);
 
       if (!userData) {
@@ -263,7 +365,6 @@ export class SessionManager {
 
       // Parse and attach user to request
       req.user = JSON.parse(userData);
-      res.locals.user = req.user;
 
       // Validate authorization
       const { authorized = isDebugging } = req.user ?? { authorized: isDebugging };
@@ -275,7 +376,7 @@ export class SessionManager {
 
     } catch (error) {
       if (isDebugging) {
-        console.warn('### TOKEN VERIFICATION FAILED (debugging mode) ###', error.message);
+        this.#logger.warn('### TOKEN VERIFICATION FAILED (debugging mode) ###', error.message);
         return next();
       }
 
@@ -294,12 +395,13 @@ export class SessionManager {
   }
 
   /**
-   * Verify session authentication
-   * @param {import('@types/express').Request} req Request
-   * @param {import('@types/express').Response} res Response
-   * @param {import('@types/express').NextFunction} next Next function
-   * @param {boolean} isDebugging Debugging flag
-   * @param {string} redirectUrl Redirect URL
+   * Verify session authentication - checks if user is authorized in session
+   * @param {import('@types/express').Request} req Request with session data
+   * @param {import('@types/express').Response} res Response object
+   * @param {import('@types/express').NextFunction} next Next middleware function
+   * @param {boolean} isDebugging If true, allows unauthorized users
+   * @param {string} redirectUrl URL to redirect to if user is unauthorized
+   * @throws {CustomError} If user is not authorized
    * @private
    */
   async #verifySession(req, res, next, isDebugging, redirectUrl) {
@@ -314,13 +416,18 @@ export class SessionManager {
   }
 
   /**
-   * Refresh token authentication
-   * @param {import('@types/express').Request} req Request
-   * @param {import('@types/express').Response} res Response
-   * @param {import('@types/express').NextFunction} next Next function
-   * @param {(user: object) => object} initUser Initialize user function
-   * @param {string} idpUrl Identity provider URL
+   * Refresh token authentication - exchanges refresh token for new JWT
+   * Invalidates old token and generates a new one with updated user data
+   * @param {import('@types/express').Request} req Request with Authorization header
+   * @param {import('@types/express').Response} res Response object
+   * @param {import('@types/express').NextFunction} next Next middleware function
+   * @param {(user: object) => object} initUser Function to initialize/transform user object
+   * @param {string} idpUrl Identity provider refresh endpoint URL
+   * @throws {CustomError} If refresh lock is active or SSO refresh fails
    * @private
+   * @example
+   * // Response format:
+   * // { token: "new_jwt", user: {...}, expiresIn: 64800, tokenType: "Bearer" }
    */
   async #refreshToken(req, res, next, initUser, idpUrl) {
     try {
@@ -331,11 +438,11 @@ export class SessionManager {
         throw new CustomError(httpCodes.UNAUTHORIZED, 'User not authenticated');
       }
 
-      // Extract tokenId from current token
+      // Extract Token ID from current token
       const authHeader = req.headers.authorization;
       const token = authHeader?.substring(7);
       const { payload } = await this.#jwtManager.decrypt(token, this.#config.SESSION_SECRET);
-      const oldTokenId = payload.tokenId;
+      const { tid: oldTokenId } = payload;
 
       // Check refresh lock
       if (this.hasLock(email)) {
@@ -376,7 +483,7 @@ export class SessionManager {
       const oldRedisKey = this.#getTokenRedisKey(email, oldTokenId);
       await this.#redisManager.getClient().del(oldRedisKey);
 
-      console.debug('### TOKEN REFRESHED SUCCESSFULLY ###');
+      this.#logger.debug('### TOKEN REFRESHED SUCCESSFULLY ###');
 
       // Return new token
       return res.json({
@@ -450,7 +557,7 @@ export class SessionManager {
         await this.#redisManager.getClient().del(keys);
       }
 
-      console.info(`### ALL TOKENS LOGGED OUT: ${email} (${keys.length} tokens) ###`);
+      this.#logger.info(`### ALL TOKENS LOGGED OUT: ${email} (${keys.length} tokens) ###`);
 
       if (isRedirect) {
         return res.redirect(this.#config.SSO_SUCCESS_URL);
@@ -461,7 +568,7 @@ export class SessionManager {
         redirect_url: this.#config.SSO_SUCCESS_URL
       });
     } catch (error) {
-      console.error('### LOGOUT ALL TOKENS ERROR ###', error);
+      this.#logger.error('### LOGOUT ALL TOKENS ERROR ###', error);
       if (isRedirect) {
         return res.redirect(this.#config.SSO_FAILURE_URL);
       }
@@ -487,7 +594,7 @@ export class SessionManager {
     }
 
     try {
-      // Extract tokenId from current token
+      // Extract Token ID from current token
       const authHeader = req.headers.authorization;
       const token = authHeader?.substring(7);
 
@@ -496,13 +603,17 @@ export class SessionManager {
       }
 
       const { payload } = await this.#jwtManager.decrypt(token, this.#config.SESSION_SECRET);
-      const { email, tokenId } = payload;
+      const { email, tid } = payload;
+
+      if (!email || !tid) {
+        throw new CustomError(httpCodes.BAD_REQUEST, 'Invalid token payload');
+      }
 
       // Remove token from Redis
-      const redisKey = this.#getTokenRedisKey(email, tokenId);
+      const redisKey = this.#getTokenRedisKey(email, tid);
       await this.#redisManager.getClient().del(redisKey);
 
-      console.info('### TOKEN LOGOUT SUCCESSFULLY ###');
+      this.#logger.info('### TOKEN LOGOUT SUCCESSFULLY ###');
 
       if (isRedirect) {
         return res.redirect(this.#config.SSO_SUCCESS_URL);
@@ -513,7 +624,7 @@ export class SessionManager {
       });
 
     } catch (error) {
-      console.error('### TOKEN LOGOUT ERROR ###', error);
+      this.#logger.error('### TOKEN LOGOUT ERROR ###', error);
       if (isRedirect) {
         return res.redirect(this.#config.SSO_FAILURE_URL);
       }
@@ -535,16 +646,16 @@ export class SessionManager {
     try {
       res.clearCookie('connect.sid');
     } catch (error) {
-      console.error('### CLEAR COOKIE ERROR ###');
-      console.error(error);
+      this.#logger.error('### CLEAR COOKIE ERROR ###');
+      this.#logger.error(error);
     }
     return req.session.destroy((sessionError) => {
       if (sessionError) {
-        console.error('### SESSION DESTROY CALLBACK ERROR ###');
-        console.error(sessionError);
+        this.#logger.error('### SESSION DESTROY CALLBACK ERROR ###');
+        this.#logger.error(sessionError);
         return callback(sessionError);
       }
-      console.info('### SESSION LOGOUT SUCCESSFULLY ###');
+      this.#logger.info('### SESSION LOGOUT SUCCESSFULLY ###');
       return callback(null);
     });
   }
@@ -573,7 +684,7 @@ export class SessionManager {
    */
   #redisSession() {
     // Redis Session
-    console.log('### Using Redis as the Session Store ###');
+    this.#logger.log('### Using Redis as the Session Store ###');
     return session({
       cookie: { maxAge: this.#config.SESSION_AGE, path: this.#config.SESSION_COOKIE_PATH, sameSite: false },
       store: new RedisStore({ client: this.#redisManager.getClient(), prefix: this.#config.SESSION_PREFIX, disableTouch: true }),
@@ -588,7 +699,7 @@ export class SessionManager {
    */
   #memorySession() {
     // Memory Session
-    console.log('### Using Memory as the Session Store ###');
+    this.#logger.log('### Using Memory as the Session Store ###');
     const MemoryStore = memStore(session);
     return session({
       cookie: { maxAge: this.#config.SESSION_AGE, path: this.#config.SESSION_COOKIE_PATH, sameSite: false },
@@ -675,13 +786,13 @@ export class SessionManager {
     /** @type {{ payload: { user: import('../models/types/user').UserModel, redirect_url: string } }} */
     const { payload } = await this.#jwtManager.decrypt(jwt, this.#config.SSO_CLIENT_SECRET);
     if (payload?.user) {
-      console.debug('### CALLBACK USER ###');
+      this.#logger.debug('### CALLBACK USER ###');
       request.session[this.#getSessionKey()] = initUser(payload.user);
       return new Promise((resolve, reject) => {
         request.session.touch().save((err) => {
           if (err) {
-            console.error('### SESSION SAVE ERROR ###');
-            console.error(err);
+            this.#logger.error('### SESSION SAVE ERROR ###');
+            this.#logger.error(err);
             return reject(new CustomError(httpCodes.SYSTEM_FAILURE,  'Session failed to save', err));
           }
           return resolve(payload);
@@ -711,7 +822,9 @@ export class SessionManager {
           throw new CustomError(httpCodes.BAD_REQUEST, 'Invalid JWT payload');
         }
 
+        /** @type {import('../index.js').SessionUser} */
         const user = initUser(payload.user);
+        /** @type {string} */
         const redirectUrl = payload.redirect_url || this.#config.SSO_SUCCESS_URL;
 
         // Check SESSION_MODE to determine response type
@@ -719,57 +832,26 @@ export class SessionManager {
           // Token-based: Generate token and return HTML page that stores it
           const token = await this.#generateAndStoreToken(user);
 
-          console.debug('### CALLBACK TOKEN GENERATED ###');
+          this.#logger.debug('### CALLBACK TOKEN GENERATED ###');
 
+          const templatePath = this.#config.TOKEN_STORAGE_TEMPLATE_PATH || path.resolve(__dirname, 'assets', 'template.html');
           // Return HTML page that stores token in localStorage and redirects
-          return res.send(`
-            <!DOCTYPE html>
-            <html>
-            <head>
-              <meta charset="UTF-8">
-              <title>Authentication Complete</title>
-              <script>
-                (function() {
-                  try {
-                    // Store auth data in localStorage
-                    localStorage.setItem('authToken', ${JSON.stringify(token)});
-                    localStorage.setItem('tokenExpiry', ${Date.now() + this.#config.SESSION_AGE});
-                    localStorage.setItem('user', ${JSON.stringify({
-                      email: user.email,
-                      name: user.name,
-                    })});
-                    
-                    // Redirect to original destination
-                    window.location.replace(${JSON.stringify(redirectUrl)});
-                  } catch (error) {
-                    console.error('Failed to store authentication:', error);
-                    document.getElementById('error').style.display = 'block';
-                  }
-                })();
-              </script>
-              <style>
-                body { font-family: system-ui, sans-serif; text-align: center; padding: 50px; }
-                #error { display: none; color: #d32f2f; margin-top: 20px; }
-              </style>
-            </head>
-            <body>
-              <p>Completing authentication...</p>
-              <div id="error">
-                <p>Authentication failed. Please try again.</p>
-                <a href="${this.#config.SSO_FAILURE_URL}">Return to login</a>
-              </div>
-            </body>
-            </html>
-          `);
-        }
-        else {
-          // Session-based: Save to session and redirect
-          await this.#saveSession(req, jwt, initUser);
-          return res.redirect(redirectUrl);
+          const template = fs.readFileSync(templatePath, 'utf8');
+          const html = template
+            .replaceAll('{{SESSION_DATA_KEY}}', this.#config.SESSION_KEY)
+            .replaceAll('{{SESSION_DATA_VALUE}}', token)
+            .replaceAll('{{SESSION_EXPIRY_KEY}}', this.#config.SESSION_EXPIRY_KEY)
+            .replaceAll('{{SESSION_EXPIRY_VALUE}}', user.attributes.expires_at)
+            .replaceAll('{{SSO_SUCCESS_URL}}', redirectUrl)
+            .replaceAll('{{SSO_FAILURE_URL}}', this.#config.SSO_FAILURE_URL);
+          return res.send(html);
         }
+        // Session-based: Save to session and redirect
+        await this.#saveSession(req, jwt, initUser);
+        return res.redirect(redirectUrl);
       }
       catch (error) {
-        console.error('### CALLBACK ERROR ###', error);
+        this.#logger.error('### CALLBACK ERROR ###', error);
         return res.redirect(this.#config.SSO_FAILURE_URL.concat('?message=').concat(encodeURIComponent(error.message)));
       }
     };
@@ -832,8 +914,8 @@ export class SessionManager {
       // Session-based authentication is already single-instance per cookie
       return this.#logoutSession(req, res, (error) => {
         if (error) {
-          console.error('### LOGOUT CALLBACK ERROR ###');
-          console.error(error);
+          this.#logger.error('### LOGOUT CALLBACK ERROR ###');
+          this.#logger.error(error);
           if (isRedirect) {
             return res.redirect(this.#config.SSO_FAILURE_URL);
           }