forked from greenpau/go-authcrunch
-
Notifications
You must be signed in to change notification settings - Fork 0
/
handle_http_logout.go
107 lines (99 loc) · 3.64 KB
/
handle_http_logout.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
// Copyright 2022 Paul Greenberg greenpau@outlook.com
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package authn
import (
"context"
"github.com/andrewsonpradeep/go-authcrunch/pkg/requests"
"github.com/andrewsonpradeep/go-authcrunch/pkg/user"
addrutil "github.com/andrewsonpradeep/go-authcrunch/pkg/util/addr"
"go.uber.org/zap"
"net/http"
"net/url"
"strings"
)
func (p *Portal) deleteAuthCookies(w http.ResponseWriter, r *http.Request) {
for tokenName := range p.validator.GetAuthCookies() {
w.Header().Add("Set-Cookie", p.cookie.GetDeleteCookie(addrutil.GetSourceHost(r), tokenName))
}
}
func (p *Portal) handleHTTPLogout(ctx context.Context, w http.ResponseWriter, r *http.Request, rr *requests.Request, parsedUser *user.User) error {
p.disableClientCache(w)
p.injectRedirectURL(ctx, w, r, rr)
h := addrutil.GetSourceHost(r)
for tokenName := range p.validator.GetAuthCookies() {
w.Header().Add("Set-Cookie", p.cookie.GetDeleteCookie(h, tokenName))
}
w.Header().Add("Set-Cookie", p.cookie.GetDeleteCookie(h, p.cookie.Referer))
w.Header().Add("Set-Cookie", p.cookie.GetDeleteCookie(h, p.cookie.SessionID))
if parsedUser != nil && parsedUser.Claims != nil {
p.logger.Debug(
"user logout",
zap.String("session_id", rr.Upstream.SessionID),
zap.String("request_id", rr.ID),
zap.Any("user", parsedUser.Claims),
)
if strings.Contains(parsedUser.Claims.Issuer, "/oauth2/") {
return p.handleHTTPRedirect(ctx, w, r, rr, extractRealmLogout(parsedUser.Claims.Issuer, "oauth2"))
}
} else {
p.logger.Debug(
"user logout",
zap.String("session_id", rr.Upstream.SessionID),
zap.String("request_id", rr.ID),
)
}
return p.handleHTTPRedirect(ctx, w, r, rr, "/login")
}
func (p *Portal) handleHTTPLogoutWithLocalRedirect(ctx context.Context, w http.ResponseWriter, r *http.Request, rr *requests.Request) error {
var refererExists bool
p.disableClientCache(w)
p.injectRedirectURL(ctx, w, r, rr)
h := addrutil.GetSourceHost(r)
for tokenName := range p.validator.GetAuthCookies() {
w.Header().Add("Set-Cookie", p.cookie.GetDeleteCookie(h, tokenName))
}
if rr.Response.RedirectURL == "" {
w.Header().Add("Set-Cookie", p.cookie.GetDeleteCookie(h, p.cookie.Referer))
}
w.Header().Add("Set-Cookie", p.cookie.GetDeleteCookie(h, p.cookie.SessionID))
// The redirect_url query parameter exists.
if rr.Response.RedirectURL != "" {
return p.handleHTTPRedirect(ctx, w, r, rr, "/login?redirect_url="+rr.Response.RedirectURL)
}
// Find whether the redirect cookie exists. If so, do not inject redirect URL.
if cookie, err := r.Cookie(p.cookie.Referer); err == nil {
v, err := url.Parse(cookie.Value)
if err == nil && v.String() != "" {
refererExists = true
}
}
if !refererExists {
w.Header().Add("Set-Cookie", p.cookie.GetDeleteCookie(h, p.cookie.Referer))
return p.handleHTTPRedirect(ctx, w, r, rr, "/login?redirect_url="+r.RequestURI)
}
return p.handleHTTPRedirect(ctx, w, r, rr, "/login")
}
func extractRealmLogout(s, sp string) string {
var ready bool
for _, k := range strings.Split(s, "/") {
if k == sp {
ready = true
continue
}
if ready {
return "/" + strings.Join([]string{sp, k, "logout"}, "/")
}
}
return "/logout"
}