Add ODIC Back-Channel Logout (#304)

* prevent returning expired sessions

* add issuer to ODIC creds

* get id token in ODIC

* make session signin return session

* working backchannel logout?

* require https for ODIC provider

* handle wellknown not being https

* find session api progress

* fix windows build

* return session token on session

* switch OIDC to #searchSessions

* update pnpm

* switch to using message on error obj

* move odic callback

* fix type errors

* redirect old oidc callback

* make redirect url a URL

* remove scheduled task downloadCleanup

* fix session search for oidc

* fix signin result

* cleanup code

* ignore data dir

* fix lint error
This commit is contained in:
Husky
2026-01-19 17:50:04 -05:00
committed by GitHub
parent 2967e433ca
commit f04daf0388
18 changed files with 710 additions and 115 deletions
+70
View File
@@ -0,0 +1,70 @@
import sessionHandler from "~/server/internal/session";
import authManager from "~/server/internal/auth";
import type { Session } from "~/server/internal/session/types";
defineRouteMeta({
openAPI: {
tags: ["Auth", "OIDC"],
description: "OIDC Signin callback",
parameters: [],
},
});
export default defineEventHandler(async (h3) => {
// dont cache login responses
setHeader(h3, "Cache-Control", "no-store");
const enabledAuthManagers = authManager.getAuthProviders();
if (!enabledAuthManagers.OpenID) return sendRedirect(h3, "/auth/signin");
const manager = enabledAuthManagers.OpenID;
const query = getQuery(h3);
const code = query.code?.toString();
if (!code)
throw createError({
statusCode: 400,
statusMessage: "No code in query params.",
});
const state = query.state?.toString();
if (!state)
throw createError({
statusCode: 400,
statusMessage: "No state in query params.",
});
const result = await manager.authorize(code, state);
if (typeof result === "string")
throw createError({
statusCode: 403,
statusMessage: `Failed to sign in: "${result}". Please try again.`,
});
// Attach OIDC session data
const oidcData: Session["oidc"] = {
iss: result.claims.iss,
};
if (result.claims.sub) oidcData.sub = result.claims.sub;
if (result.claims.sid) oidcData.sid = result.claims.sid;
const sessionResult = await sessionHandler.signin(h3, result.user.id, {
rememberMe: true,
oidc: oidcData,
});
if (sessionResult == "fail")
throw createError({ statusCode: 500, message: "Failed to set session" });
else if (sessionResult == "2fa") {
return sendRedirect(
h3,
`/auth/mfa?redirect=${result.options.redirect ? encodeURIComponent(result.options.redirect) : "/"}`,
);
}
if (result.options.redirect) {
return sendRedirect(h3, result.options.redirect);
}
return sendRedirect(h3, "/");
});
+46
View File
@@ -0,0 +1,46 @@
// import sessionHandler from "~/server/internal/session";
import authManager from "~/server/internal/auth";
defineRouteMeta({
openAPI: {
tags: ["Auth", "OIDC"],
description: "OIDC logout back-channel",
parameters: [],
},
});
export default defineEventHandler(async (h3) => {
// dont cache logout responses
setHeader(h3, "Cache-Control", "no-store");
const enabledAuthManagers = authManager.getAuthProviders();
if (!enabledAuthManagers.OpenID)
throw createError({
statusCode: 400,
message: "OIDC not enabled.",
});
const logout_token = (await readFormData(h3)).get("logout_token");
if (typeof logout_token !== "string")
throw createError({
statusCode: 400,
message: "Invalid OIDC logout notification.",
});
const okay = await enabledAuthManagers.OpenID.handleLogout(logout_token);
if (!okay) {
throw createError({
statusCode: 400,
message: "Invalid OIDC logout notification.",
});
}
// const result = OIDCLogoutTokenV1(logout_token);
// const manager = enabledAuthManagers.OpenID;
// const query = getQuery(h3);
return {
success: true,
};
});
+3 -1
View File
@@ -98,7 +98,9 @@ export default defineEventHandler(async (h3) => {
},
});
await sessionHandler.signin(h3, mfaMec.userId, true);
await sessionHandler.signin(h3, mfaMec.userId, {
rememberMe: true,
});
await sessionHandler.mfa(h3, 10);
return {};
+8 -11
View File
@@ -84,17 +84,16 @@ export default defineEventHandler<{
});
// TODO: send user to forgot password screen or something to force them to change their password to new system
const result = await sessionHandler.signin(
h3,
authMek.userId,
body.rememberMe,
);
const result = await sessionHandler.signin(h3, authMek.userId, {
rememberMe: body.rememberMe ?? false,
});
if (result === "fail")
throw createError({
statusCode: 500,
message: "Failed to create session",
});
return { userId: authMek.userId, result };
return { result: result, userId: authMek.userId };
}
// V2: argon2
@@ -111,11 +110,9 @@ export default defineEventHandler<{
statusMessage: t("errors.auth.invalidUserOrPass"),
});
const result = await sessionHandler.signin(
h3,
authMek.userId,
body.rememberMe,
);
const result = await sessionHandler.signin(h3, authMek.userId, {
rememberMe: body.rememberMe ?? false,
});
if (result == "fail")
throw createError({ statusCode: 500, message: "Failed to create session" });
return { userId: authMek.userId, result };