Handle the double-logout case more cleanly

Do not attempt to call backends (keystore) with empty usernames.

server/http.go

@@ -330,6 +330,10 @@ type logoutServiceInfo struct {
 
 // Logout handler. We generate a page that triggers child logout
 // requests to all the services the user is logged in to.
+//
+// Unauthenticated requests to /logout will fall through to this
+// handler, but auth.Username will be empty in that case. We are
+// still going to show the logout page to avoid confusion.
 func (h *Server) handleLogout(w http.ResponseWriter, req *http.Request) {
 	auth, ok := login.GetAuth(req.Context())
 	if !ok {
@@ -337,8 +341,6 @@ func (h *Server) handleLogout(w http.ResponseWriter, req *http.Request) {
 		return
 	}
 
-	//
-
 	var svcs []logoutServiceInfo
 	for _, svc := range auth.Services {
 		svcs = append(svcs, logoutServiceInfo{
@@ -354,8 +356,8 @@ func (h *Server) handleLogout(w http.ResponseWriter, req *http.Request) {
 		"IncludeLogoutScripts": true,
 	}
 
-	// Close the keystore.
-	if h.keystore != nil {
+	// Close the keystore (only if the session had a valid username).
+	if h.keystore != nil && auth.Username != "" {
 		var shard string
 		if auth.UserInfo != nil {
 			shard = auth.UserInfo.Shard

server/login/login.go

@@ -190,8 +190,10 @@ func (l *Login) ServeHTTP(w http.ResponseWriter, req *http.Request) {
 		// wrapped handler. Note that the Auth object will still
 		// contain valid data, but Authenticated will be set to false.
 		if req.URL.Path == l.urlFor("/logout") {
+			if session.Authenticated {
 				log.Printf("logging out user %s", session.Username)
 				session.Authenticated = false
+			}
 			session.Delete()
 		} else if !session.Authenticated {
 			// Save the current URL in the session for later redirect.