feat: Remove logoutFromProvider config, and nunjucks template logout url

Closes #563
2025-04-06 15:30:30 +08:00 · 2021-05-03 12:52:50 +02:00 · 2021-05-03 12:52:50 +02:00 · 111d3da83f
commit 111d3da83f
parent e636c79767
4 changed files with 64 additions and 171 deletions
--- a/packages/build/src/lowdefySchema.json
+++ b/packages/build/src/lowdefySchema.json
@ -54,17 +54,9 @@
                "type": "App \"config.auth.openId.rolesField\" should be a string."
              }
            },
-            "logoutFromProvider": {
-              "type": "boolean",
-              "default": false,
-              "description": "If true, the user will be directed to OpenID Connect provider's logout URL. This will log the user out of the provider.",
-              "errorMessage": {
-                "type": "App \"config.auth.openId.logoutFromProvider\" should be a boolean."
-              }
-            },
            "logoutRedirectUri": {
              "type": "string",
-              "description": "The URI to redirect the user to after logout.",
+              "description": "The URI to redirect the user to after logout. Can be a Nunjucks template string with client_id, host, id_token_hint, and openid_domain as template data.",
              "errorMessage": {
                "type": "App \"config.auth.openId.logoutRedirectUri\" should be a string."
              }
--- a/packages/graphql/src/controllers/openIdController.js
+++ b/packages/graphql/src/controllers/openIdController.js
@ -14,7 +14,8 @@
  limitations under the License.
 */

-import { get } from '@lowdefy/helpers';
+import { get, type } from '@lowdefy/helpers';
+import { nunjucksFunction } from '@lowdefy/nunjucks';
 import { Issuer } from 'openid-client';
 import cookie from 'cookie';

@ -22,13 +23,12 @@ import { AuthenticationError, ConfigurationError } from '../context/errors';

 class OpenIdController {
  constructor({ development, getController, getLoader, getSecrets, gqlUri, host, setHeader }) {
-    const httpPrefix = development ? 'http' : 'https';
-
+    this.httpPrefix = development ? 'http' : 'https';
    this.development = development;
    this.componentLoader = getLoader('component');
    this.getSecrets = getSecrets;
    this.host = host;
-    this.redirectUri = `${httpPrefix}://${host}/auth/openid-callback`;
+    this.redirectUri = `${this.httpPrefix}://${this.host}/auth/openid-callback`;
    this.gqlUri = gqlUri || '/api/graphql';
    this.setHeader = setHeader;
    this.tokenController = getController('token');
@ -138,6 +138,17 @@ class OpenIdController {
    };
  }

+  parseLogoutUrlNunjucks({ config, idToken }) {
+    const template = nunjucksFunction(config.logoutRedirectUri);
+    const templateData = {
+      id_token_hint: idToken,
+      client_id: config.clientId,
+      openid_domain: config.domain,
+      host: encodeURIComponent(`${this.httpPrefix}://${this.host}`),
+    };
+    return template(templateData);
+  }
+
  async logoutUrl({ idToken }) {
    try {
      const setCookieHeader = cookie.serialize('authorization', '', {
@ -150,18 +161,8 @@ class OpenIdController {
      this.setHeader('Set-Cookie', setCookieHeader);

      const config = await this.getOpenIdConfig();
-      if (!config) return null;
-
-      if (config.logoutFromProvider !== true) {
-        return config.logoutRedirectUri || null;
-      }
-
-      const client = await this.getClient({ config });
-
-      return client.endSessionUrl({
-        id_token_hint: idToken,
-        post_logout_redirect_uri: config.logoutRedirectUri,
-      });
+      if (!config || !type.isString(config.logoutRedirectUri)) return null;
+      return this.parseLogoutUrlNunjucks({ config, idToken });
    } catch (error) {
      throw new AuthenticationError(error);
    }
--- a/packages/graphql/src/controllers/openIdController.test.js
+++ b/packages/graphql/src/controllers/openIdController.test.js
@ -33,14 +33,9 @@ const mockOpenIdCallback = jest.fn(() => ({
  id_token: 'id_token',
 }));

-const mockEndSessionUrl = jest.fn(
-  ({ id_token_hint, post_logout_redirect_uri }) => `${id_token_hint}:${post_logout_redirect_uri}`
-);
-
 const mockClient = jest.fn(() => ({
  authorizationUrl: mockOpenIdAuthorizationUrl,
  callback: mockOpenIdCallback,
-  endSessionUrl: mockEndSessionUrl,
 }));

 // eslint-disable-next-line no-undef
@ -389,7 +384,7 @@ describe('callback', () => {
 });

 describe('logout', () => {
-  test('callback, no openId config', async () => {
+  test('logout, no openId config', async () => {
    getSecrets.mockImplementation(() => ({}));
    const openIdController = createOpenIdController(context);
    const url = await openIdController.logoutUrl(logoutUrlInput);
@ -402,144 +397,48 @@ describe('logout', () => {
    ]);
  });

-  test('callback, logoutFromProvider !== true, no logoutRedirectUri', async () => {
-    getSecrets.mockImplementation(() => secrets);
-    const openIdController = createOpenIdController(context);
-    const url = await openIdController.logoutUrl(logoutUrlInput);
-    expect(url).toEqual(null);
-    expect(mockEndSessionUrl.mock.calls).toEqual([]);
-    expect(setHeader.mock.calls).toEqual([
-      [
-        'Set-Cookie',
-        'authorization=; Max-Age=0; Path=/api/graphql; HttpOnly; Secure; SameSite=Lax',
-      ],
-    ]);
-  });
-
-  test('callback, logoutFromProvider !== true, with logoutRedirectUri', async () => {
+  test('logout with logoutRedirectUri', async () => {
    getSecrets.mockImplementation(() => secrets);
    mockLoadComponent.mockImplementation(() => ({
      auth: {
        openId: {
-          logoutRedirectUri: 'logoutRedirectUri',
+          logoutRedirectUri:
+            '{{ openid_domain }}/logout/?id_token_hint={{ id_token_hint }}&client_id={{ client_id }}&return_to={{ host }}%2Flogged-out',
        },
      },
    }));
    const openIdController = createOpenIdController(context);
    const url = await openIdController.logoutUrl(logoutUrlInput);
-    expect(url).toEqual('logoutRedirectUri');
-    expect(mockEndSessionUrl.mock.calls).toEqual([]);
-    expect(setHeader.mock.calls).toEqual([
-      [
-        'Set-Cookie',
-        'authorization=; Max-Age=0; Path=/api/graphql; HttpOnly; Secure; SameSite=Lax',
-      ],
-    ]);
-  });
-
-  test('callback, logoutFromProvider, no logoutRedirectUri', async () => {
-    getSecrets.mockImplementation(() => secrets);
-    mockLoadComponent.mockImplementation(() => ({
-      auth: {
-        openId: {
-          logoutFromProvider: true,
-        },
-      },
-    }));
-    const openIdController = createOpenIdController(context);
-    const url = await openIdController.logoutUrl(logoutUrlInput);
-    expect(mockClient.mock.calls).toEqual([
-      [
-        {
-          client_id: 'OPENID_CLIENT_ID',
-          client_secret: 'OPENID_CLIENT_SECRET',
-          redirect_uris: ['https://host/auth/openid-callback'],
-        },
-      ],
-    ]);
-    expect(url).toEqual('idToken:undefined');
-    expect(mockEndSessionUrl.mock.calls).toEqual([
-      [
-        {
-          id_token_hint: 'idToken',
-        },
-      ],
-    ]);
-    expect(setHeader.mock.calls).toEqual([
-      [
-        'Set-Cookie',
-        'authorization=; Max-Age=0; Path=/api/graphql; HttpOnly; Secure; SameSite=Lax',
-      ],
-    ]);
-  });
-
-  test('callback, logoutFromProvider, with logoutRedirectUri', async () => {
-    getSecrets.mockImplementation(() => secrets);
-    mockLoadComponent.mockImplementation(() => ({
-      auth: {
-        openId: {
-          logoutFromProvider: true,
-          logoutRedirectUri: 'logoutRedirectUri',
-        },
-      },
-    }));
-    const openIdController = createOpenIdController(context);
-    const url = await openIdController.logoutUrl(logoutUrlInput);
-    expect(mockClient.mock.calls).toEqual([
-      [
-        {
-          client_id: 'OPENID_CLIENT_ID',
-          client_secret: 'OPENID_CLIENT_SECRET',
-          redirect_uris: ['https://host/auth/openid-callback'],
-        },
-      ],
-    ]);
-    expect(url).toEqual('idToken:logoutRedirectUri');
-    expect(mockEndSessionUrl.mock.calls).toEqual([
-      [
-        {
-          id_token_hint: 'idToken',
-          post_logout_redirect_uri: 'logoutRedirectUri',
-        },
-      ],
-    ]);
-    expect(setHeader.mock.calls).toEqual([
-      [
-        'Set-Cookie',
-        'authorization=; Max-Age=0; Path=/api/graphql; HttpOnly; Secure; SameSite=Lax',
-      ],
-    ]);
-  });
-
-  test('callback, logoutFromProvider, error', async () => {
-    getSecrets.mockImplementation(() => secrets);
-    mockLoadComponent.mockImplementation(() => ({
-      auth: {
-        openId: {
-          logoutFromProvider: true,
-        },
-      },
-    }));
-    const openIdController = createOpenIdController(context);
-    mockEndSessionUrl.mockImplementationOnce(() => {
-      throw new Error('OpenId End Session Error');
-    });
-    await expect(openIdController.logoutUrl(logoutUrlInput)).rejects.toThrow(AuthenticationError);
-    mockEndSessionUrl.mockImplementationOnce(() => {
-      throw new Error('OpenId End Session Error');
-    });
-    await expect(openIdController.logoutUrl(logoutUrlInput)).rejects.toThrow(
-      'Error: OpenId End Session Error'
+    expect(url).toEqual(
+      'OPENID_DOMAIN/logout/?id_token_hint=idToken&client_id=OPENID_CLIENT_ID&return_to=https%3A%2F%2Fhost%2Flogged-out'
    );
    expect(setHeader.mock.calls).toEqual([
      [
        'Set-Cookie',
        'authorization=; Max-Age=0; Path=/api/graphql; HttpOnly; Secure; SameSite=Lax',
      ],
-      [
-        'Set-Cookie',
-        'authorization=; Max-Age=0; Path=/api/graphql; HttpOnly; Secure; SameSite=Lax',
-      ],
+    ]);
+  });
+
+  test('logout with logoutRedirectUri, development true', async () => {
+    getSecrets.mockImplementation(() => secrets);
+    mockLoadComponent.mockImplementation(() => ({
+      auth: {
+        openId: {
+          logoutRedirectUri:
+            '{{ openid_domain }}/logout/?id_token_hint={{ id_token_hint }}&client_id={{ client_id }}&return_to={{ host }}%2Flogged-out',
+        },
+      },
+    }));
+    const devOpenIdController = createOpenIdController(
+      testBootstrapContext({ getSecrets, host: 'host', loaders, development: true, setHeader })
+    );
+    const url = await devOpenIdController.logoutUrl(logoutUrlInput);
+    expect(url).toEqual(
+      'OPENID_DOMAIN/logout/?id_token_hint=idToken&client_id=OPENID_CLIENT_ID&return_to=http%3A%2F%2Fhost%2Flogged-out'
+    );
+    expect(setHeader.mock.calls).toEqual([
+      ['Set-Cookie', 'authorization=; Max-Age=0; Path=/api/graphql; HttpOnly; SameSite=Lax'],
    ]);
  });

@ -561,4 +460,18 @@ describe('logout', () => {
      ],
    ]);
  });
+
+  test('logout with logoutRedirectUri, invalid template', async () => {
+    getSecrets.mockImplementation(() => secrets);
+    mockLoadComponent.mockImplementation(() => ({
+      auth: {
+        openId: {
+          logoutRedirectUri: '{{ openid_domain ',
+        },
+      },
+    }));
+    const openIdController = createOpenIdController(context);
+    expect(openIdController.logoutUrl(logoutUrlInput)).rejects.toThrow(AuthenticationError);
+    expect(openIdController.logoutUrl(logoutUrlInput)).rejects.toThrow('Template render error');
+  });
 });
--- a/packages/graphql/src/resolvers/queries/auth/openIdLogoutUrl.test.js
+++ b/packages/graphql/src/resolvers/queries/auth/openIdLogoutUrl.test.js
@ -17,7 +17,6 @@
 // eslint-disable-next-line no-unused-vars
 import { gql } from 'apollo-server';
 import runTestQuery from '../../../test/runTestQuery';
-import { Issuer } from 'openid-client';

 import openIdLogoutUrl from './openIdLogoutUrl';

@ -33,19 +32,6 @@ const getController = jest.fn((name) => {
  }
 });

-// OpenID mocks
-const mockEndSessionUrl = jest.fn(
-  ({ id_token_hint, post_logout_redirect_uri }) => `${id_token_hint}:${post_logout_redirect_uri}`
-);
-
-const mockClient = jest.fn(() => ({
-  endSessionUrl: mockEndSessionUrl,
-}));
-
-Issuer.discover = jest.fn(() => ({
-  Client: mockClient,
-}));
-
 const secrets = {
  OPENID_CLIENT_ID: 'OPENID_CLIENT_ID',
  OPENID_CLIENT_SECRET: 'OPENID_CLIENT_SECRET',
@ -56,8 +42,8 @@ const secrets = {
 const mockLoadComponent = jest.fn(() => ({
  auth: {
    openId: {
-      logoutFromProvider: true,
-      logoutRedirectUri: 'logoutRedirectUri',
+      logoutRedirectUri:
+        '{{ openid_domain }}/logout/?id_token_hint={{ id_token_hint }}&client_id={{ client_id }}&return_to={{ host }}%2Flogged-out',
    },
  },
 }));
@ -97,7 +83,8 @@ test('openIdLogoutUrl graphql', async () => {
  });
  expect(res.errors).toBe(undefined);
  expect(res.data).toEqual({
-    openIdLogoutUrl: 'idToken:logoutRedirectUri',
+    openIdLogoutUrl:
+      'OPENID_DOMAIN/logout/?id_token_hint=idToken&client_id=OPENID_CLIENT_ID&return_to=https%3A%2F%2Fhost%2Flogged-out',
  });
  expect(setHeader.mock.calls).toEqual([
    ['Set-Cookie', 'authorization=; Max-Age=0; Path=/api/graphql; HttpOnly; Secure; SameSite=Lax'],