diff options
| author | Frédéric Mangano-Tarumi <fmang@mg0.fr> | 2020-07-14 15:35:05 +0200 |
|---|---|---|
| committer | Lukas Fleischer <lfleischer@archlinux.org> | 2021-02-20 17:24:30 +0100 |
| commit | 4d0f2d2279ed9fcdf6bb76015ac0da9c6e938d69 (patch) | |
| tree | e8683431da721c46b95a973ecdeefbbc91170f42 | |
| parent | d12ea08fcaa62211cbf4d83bba91124b90f861cf (diff) | |
| download | aur-4d0f2d2279ed9fcdf6bb76015ac0da9c6e938d69.tar.gz aur-4d0f2d2279ed9fcdf6bb76015ac0da9c6e938d69.tar.xz | |
Implement SSO logout
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
| -rw-r--r-- | aurweb/routers/sso.py | 18 | ||||
| -rw-r--r-- | web/html/logout.php | 14 |
2 files changed, 31 insertions, 1 deletions
diff --git a/aurweb/routers/sso.py b/aurweb/routers/sso.py index e1ec7efe..a8d4b141 100644 --- a/aurweb/routers/sso.py +++ b/aurweb/routers/sso.py @@ -1,6 +1,8 @@ import time import uuid +from urllib.parse import urlencode + import fastapi from authlib.integrations.starlette_client import OAuth @@ -82,3 +84,19 @@ async def authenticate(request: Request, conn=Depends(aurweb.db.connect)): else: # We’ve got a severe integrity violation. raise Exception("Multiple accounts found for SSO account " + sub) + + +@router.get("/sso/logout") +async def logout(): + """ + Disconnect the user from the SSO provider, potentially affecting every + other Arch service. AUR logout is performed by `/logout`, before it + redirects to `/sso/logout`. + + Based on the OpenID Connect Session Management specification: + https://openid.net/specs/openid-connect-session-1_0.html#RPLogout + """ + metadata = await oauth.sso.load_server_metadata() + # TODO Supply id_token_hint to the end session endpoint. + query = urlencode({'post_logout_redirect_uri': aurweb.config.get('options', 'aur_location')}) + return RedirectResponse(metadata["end_session_endpoint"] + '?' + query) diff --git a/web/html/logout.php b/web/html/logout.php index 14022001..9fd63943 100644 --- a/web/html/logout.php +++ b/web/html/logout.php @@ -5,16 +5,28 @@ set_include_path(get_include_path() . PATH_SEPARATOR . '../lib'); include_once("aur.inc.php"); # access AUR common functions include_once("acctfuncs.inc.php"); # access AUR common functions +$redirect_uri = '/'; + # if they've got a cookie, log them out - need to do this before # sending any HTML output. # if (isset($_COOKIE["AURSID"])) { + $uid = uid_from_sid($_COOKIE['AURSID']); delete_session_id($_COOKIE["AURSID"]); # setting expiration to 1 means '1 second after midnight January 1, 1970' setcookie("AURSID", "", 1, "/", null, !empty($_SERVER['HTTPS']), true); unset($_COOKIE['AURSID']); clear_expired_sessions(); + + # If the account is linked to an SSO account, disconnect the user from the SSO too. + if (isset($uid)) { + $dbh = DB::connect(); + $sso_account_id = $dbh->query("SELECT SSOAccountID FROM Users WHERE ID = " . $dbh->quote($uid)) + ->fetchColumn(); + if ($sso_account_id) + $redirect_uri = '/sso/logout'; + } } -header('Location: /'); +header("Location: $redirect_uri"); |