Add logout logic when using external login (#6042)

farhatahmad · web-flow · commit c2cae830767a · 2025-05-01T14:33:10.000-04:00
* Add logout logic when using external login

* Added missing test

* Fix rspec issues
diff --git a/app/controllers/api/v1/sessions_controller.rb b/app/controllers/api/v1/sessions_controller.rb
@@ -68,8 +68,28 @@ def create
       # DELETE /api/v1/sessions/signout
       # Clears the session cookie and signs the user out
       def destroy
-        sign_out
-        render_data status: :ok
+        id_token = session.delete(:oidc_id_token)
+
+        # Make logout request to OIDC
+        if id_token.present? && external_auth?
+          issuer_url = if ENV.fetch('LOADBALANCER_ENDPOINT', nil).present?
+                         File.join(ENV.fetch('OPENID_CONNECT_ISSUER'), "/#{current_provider}")
+                       else
+                         ENV.fetch('OPENID_CONNECT_ISSUER')
+                       end
+
+          end_session = File.join(issuer_url, 'protocol', 'openid-connect', 'logout')
+
+          url = "#{end_session}?client_id=#{ENV.fetch('OPENID_CONNECT_CLIENT_ID', nil)}" \
+                "&id_token_hint=#{id_token}" \
+                "&post_logout_redirect_uri=#{CGI.escape(root_url(success: 'LogoutSuccessful'))}"
+
+          sign_out
+          render_data data: url, status: :ok
+        else
+          sign_out
+          render_data status: :ok
+        end
       end
 
       private
diff --git a/app/controllers/external_controller.rb b/app/controllers/external_controller.rb
@@ -83,6 +83,7 @@ def create_user
     handle_session_timeout(session_timeout.to_i, user) if session_timeout
 
     session[:session_token] = user.session_token
+    session[:oidc_id_token] = credentials.dig('credentials', 'id_token')
 
     # TODO: - Ahmad: deal with errors
 
diff --git a/app/javascript/components/home/HomePage.jsx b/app/javascript/components/home/HomePage.jsx
@@ -35,6 +35,7 @@ export default function HomePage() {
   const navigate = useNavigate();
   const [searchParams, setSearchParams] = useSearchParams();
   const error = searchParams.get('error');
+  const success = searchParams.get('success');
   const { data: recordValue } = useRoomConfigValue('record');
   const { data: env } = useEnv();
 
@@ -51,6 +52,16 @@ export default function HomePage() {
     [currentUser.signed_in],
   );
 
+  useEffect(() => {
+    switch (success) {
+      case 'LogoutSuccessful':
+        toast.success(t('toast.success.session.signed_out'));
+        break;
+      default:
+    }
+    if (success) { setSearchParams(searchParams.delete('success')); }
+  }, [success]);
+
   useEffect(() => {
     switch (error) {
       case 'InviteInvalid':
diff --git a/app/javascript/hooks/mutations/sessions/useDeleteSession.jsx b/app/javascript/hooks/mutations/sessions/useDeleteSession.jsx
@@ -30,12 +30,19 @@ export default function useDeleteSession({ showToast = true }) {
   return useMutation(
     () => axios.delete('/sessions/signout.json'),
     {
-      onSuccess: async () => {
-        setStateChanging(true);
-        queryClient.refetchQueries('useSessions');
-        await navigate('/');
-        if (showToast) { toast.success(t('toast.success.session.signed_out')); }
-        setStateChanging(false);
+      onSuccess: async ({ data }) => {
+        const logoutUrl = data?.data;
+
+        if (typeof logoutUrl === 'string') {
+          window.location.href = logoutUrl;
+        } else {
+          setStateChanging(true);
+          queryClient.refetchQueries('useSessions');
+
+          await navigate('/');
+          if (showToast) { toast.success(t('toast.success.session.signed_out')); }
+          setStateChanging(false);
+        }
       },
       onError: () => {
         toast.error(t('toast.error.problem_completing_action'));
diff --git a/spec/controllers/external_controller_spec.rb b/spec/controllers/external_controller_spec.rb
@@ -30,6 +30,9 @@
         info: {
           email: Faker::Internet.email,
           name: Faker::Name.name
+        },
+        credentials: {
+          id_token: 'sample_id_token'
         }
       )
 
@@ -53,7 +56,6 @@
 
       get :create_user, params: { provider: 'openid_connect' }
 
-      expect(session[:session_token]).to eq(User.find_by(email: OmniAuth.config.mock_auth[:openid_connect][:info][:email]).session_token)
       expect(response).to redirect_to(root_path)
     end
 
@@ -93,6 +95,15 @@
       end.not_to change(User, :count)
     end
 
+    it 'sets the correct session variables' do
+      request.env['omniauth.auth'] = OmniAuth.config.mock_auth[:openid_connect]
+
+      get :create_user, params: { provider: 'openid_connect' }
+
+      expect(session[:session_token]).to eq(User.find_by(email: OmniAuth.config.mock_auth[:openid_connect][:info][:email]).session_token)
+      expect(session[:oidc_id_token]).to eq(OmniAuth.config.mock_auth[:openid_connect][:credentials][:id_token])
+    end
+
     context 'redirect' do
       it 'redirects to the location cookie if a relative redirection 1' do
         request.env['omniauth.auth'] = OmniAuth.config.mock_auth[:openid_connect]
diff --git a/spec/controllers/sessions_controller_spec.rb b/spec/controllers/sessions_controller_spec.rb
@@ -28,6 +28,10 @@
   end
 
   describe '#create' do
+    before do
+      allow(controller).to receive(:external_auth?).and_return(false)
+    end
+
     it 'creates a regular session if the remember me checkbox is not selected' do
       post :create, params: {
         session: {
@@ -140,13 +144,63 @@
   end
 
   describe '#destroy' do
-    it 'signs off the user' do
+    before do
       sign_in_user(user)
+    end
 
+    it 'signs off the user' do
       delete :destroy
 
       expect(cookies.encrypted[:_extended_session]).to be_nil
       expect(session[:session_token]).to be_nil
     end
+
+    context 'external auth' do
+      before do
+        session[:oidc_id_token] = 'sample_id_token'
+        allow(controller).to receive(:external_auth?).and_return(true)
+        ENV['OPENID_CONNECT_ISSUER'] = 'https://openid.example'
+      end
+
+      after do
+        ENV['OPENID_CONNECT_ISSUER'] = nil
+      end
+
+      it 'returns the OIDC logout url' do
+        delete :destroy
+
+        expect(response.parsed_body['data']).to match('protocol/openid-connect/logout')
+        expect(response.parsed_body['data']).to match('id_token_hint=sample_id_token')
+        expect(response.parsed_body['data']).to match("post_logout_redirect_uri=#{CGI.escape(root_url(success: 'LogoutSuccessful'))}")
+      end
+
+      it 'removes both session tokens' do
+        delete :destroy
+
+        expect(session[:session_token]).to be_nil
+        expect(session[:oidc_id_token]).to be_nil
+      end
+
+      context 'LB is set' do
+        let!(:role_with_provider_test) { create(:role, provider: 'test-provider') }
+        let!(:mt_user) { create(:user, provider: 'test-provider', role: role_with_provider_test) }
+
+        before do
+          sign_in_user(mt_user)
+          ENV['LOADBALANCER_ENDPOINT'] = 'http://test.com/'
+          allow(controller).to receive(:current_provider).and_return('test-provider')
+        end
+
+        after do
+          ENV['LOADBALANCER_ENDPOINT'] = nil
+        end
+
+        it 'returns the OIDC logout url' do
+          delete :destroy
+
+          expect(response.parsed_body['data']).to start_with(File.join(ENV.fetch('OPENID_CONNECT_ISSUER', nil), "/#{controller.current_provider}"))
+        end
+      end
+    end
   end
 end
