feat: implement logout & music assistant auth (#42)

Author: cavefire

custom_components/openid/__init__.py

@@ -6,11 +6,13 @@
 from http import HTTPStatus
 from ipaddress import ip_network
 import logging
-import os
+from pathlib import Path
 
 import hass_frontend
 import voluptuous as vol
 
+from homeassistant.auth.models import Credentials
+from homeassistant.components.frontend import add_extra_js_url
 from homeassistant.components.http import StaticPathConfig
 from homeassistant.const import CONF_CLIENT_ID, CONF_CLIENT_SECRET
 from homeassistant.core import HomeAssistant
@@ -23,16 +25,25 @@
     CONF_BLOCK_LOGIN,
     CONF_CONFIGURE_URL,
     CONF_CREATE_USER,
+    CONF_LOGOUT_URL,
     CONF_OPENID_TEXT,
     CONF_SCOPE,
     CONF_TOKEN_URL,
+    CONF_TRUSTED_IPS,
     CONF_USER_INFO_URL,
     CONF_USERNAME_FIELD,
-    CONF_TRUSTED_IPS,
+    CRED_ID_TOKEN,
+    CRED_LOGOUT_REDIRECT_URI,
+    CRED_SESSION_STATE,
     DOMAIN,
 )
 from .http_helper import override_authorize_login_flow, override_authorize_route
-from .views import OpenIDAuthorizeView, OpenIDCallbackView
+from .views import (
+    OpenIDAuthorizeView,
+    OpenIDCallbackView,
+    OpenIDConsentView,
+    OpenIDSessionView,
+)
 
 _LOGGER = logging.getLogger(__name__)
 
@@ -58,6 +69,7 @@
                 vol.Optional(CONF_TRUSTED_IPS, default=[]): vol.All(
                     cv.ensure_list, [cv.string]
                 ),
+                vol.Optional(CONF_LOGOUT_URL): cv.url,
             }
         )
     },
@@ -86,6 +98,64 @@ async def async_setup(hass: HomeAssistant, config: ConfigType) -> bool:
 
     hass.data[DOMAIN][CONF_TRUSTED_IPS] = trusted_networks
 
+    async def _async_notify_idp_logout(credential: Credentials) -> None:
+        """Clear logout-related metadata from credentials.
+
+        The actual IdP logout is handled by the frontend (logout.js),
+        which redirects the user to the IdP logout URL so their browser
+        session can be properly cleared.
+        """
+        logout_url: str | None = hass.data[DOMAIN].get(CONF_LOGOUT_URL)
+        if not logout_url:
+            _LOGGER.debug("No logout URL configured; skipping logout metadata cleanup")
+            return
+
+        cleared = False
+        if credential.data.pop(CRED_ID_TOKEN, None) is not None:
+            cleared = True
+        if credential.data.pop(CRED_SESSION_STATE, None) is not None:
+            cleared = True
+
+        if cleared:
+            hass.auth.async_update_user_credentials_data(
+                credential, dict(credential.data)
+            )
+            _LOGGER.debug("Cleared logout metadata from credentials")
+
+    if not hass.data[DOMAIN].get("_remove_refresh_token_patched"):
+        original_remove_refresh_token = hass.auth.async_remove_refresh_token
+
+        def _patched_remove_refresh_token(refresh_token):
+            credential = getattr(refresh_token, "credential", None)
+
+            if (
+                credential is not None
+                and getattr(credential, "auth_provider_type", None) == DOMAIN
+            ):
+                logout_url = hass.data[DOMAIN].get(CONF_LOGOUT_URL)
+                has_logout_metadata = any(
+                    credential.data.get(key)
+                    for key in (
+                        CRED_ID_TOKEN,
+                        CRED_SESSION_STATE,
+                        CRED_LOGOUT_REDIRECT_URI,
+                    )
+                )
+
+                if logout_url and has_logout_metadata:
+                    hass.async_create_background_task(
+                        _async_notify_idp_logout(credential),
+                        name="openid_notify_idp_logout",
+                    )
+
+            original_remove_refresh_token(refresh_token)
+
+        hass.auth.async_remove_refresh_token = _patched_remove_refresh_token
+        hass.data[DOMAIN]["_remove_refresh_token_patched"] = True
+        hass.data[DOMAIN]["_remove_refresh_token_original"] = (
+            original_remove_refresh_token
+        )
+
     if CONF_CONFIGURE_URL in hass.data[DOMAIN]:
         try:
             await fetch_urls(hass, config[DOMAIN][CONF_CONFIGURE_URL])
@@ -100,20 +170,34 @@ async def async_setup(hass: HomeAssistant, config: ConfigType) -> bool:
     )
     hass.data[DOMAIN]["authorize_template"] = authorize_template
 
+    # Preload consent screen template
+    consent_path = Path(__file__).parent / "consent_template.html"
+    consent_template = await asyncio.to_thread(consent_path.read_text, encoding="utf-8")
+    hass.data[DOMAIN]["consent_template"] = consent_template
+
     # Serve the custom frontend JS that hooks into the login dialog
     await hass.http.async_register_static_paths(
         [
             StaticPathConfig(
                 "/openid/authorize.js",
-                os.path.join(os.path.dirname(__file__), "authorize.js"),
+                str(Path(__file__).parent / "authorize.js"),
                 cache_headers=True,
-            )
+            ),
+            StaticPathConfig(
+                "/openid/logout.js",
+                str(Path(__file__).parent / "logout.js"),
+                cache_headers=True,
+            ),
         ]
     )
 
+    add_extra_js_url(hass, "/openid/logout.js")
+
     # Register routes
     hass.http.register_view(OpenIDAuthorizeView(hass))
     hass.http.register_view(OpenIDCallbackView(hass))
+    hass.http.register_view(OpenIDConsentView(hass))
+    hass.http.register_view(OpenIDSessionView(hass))
 
     # Patch /auth/authorize to inject our JS file.
     override_authorize_route(hass)
@@ -145,6 +229,10 @@ async def fetch_urls(hass: HomeAssistant, configure_url: str) -> None:
         )
         hass.data[DOMAIN][CONF_TOKEN_URL] = config_data.get("token_endpoint")
         hass.data[DOMAIN][CONF_USER_INFO_URL] = config_data.get("userinfo_endpoint")
+        if (
+            logout_endpoint := config_data.get("end_session_endpoint")
+        ) and not hass.data[DOMAIN].get(CONF_LOGOUT_URL):
+            hass.data[DOMAIN][CONF_LOGOUT_URL] = logout_endpoint
 
         _LOGGER.info("OpenID configuration loaded successfully")
     except Exception as e:  # noqa: BLE001

custom_components/openid/authorize.js

@@ -44,9 +44,25 @@ function redirect_openid_login() {
   const urlParams = new URLSearchParams(window.location.search);
   const clientId = encodeURIComponent(urlParams.get('client_id'));
   const redirectUri = encodeURIComponent(urlParams.get('redirect_uri'));
+  const referrerState = (() => {
+    try {
+      const ref = document.referrer ? new URL(document.referrer) : null;
+      return ref ? ref.searchParams.get('state') : null;
+    } catch (e) {
+      return null;
+    }
+  })();
+
+  const state = urlParams.get('state') || referrerState || localStorage.getItem('openid_original_state');
+
+  if (state) {
+    localStorage.setItem('openid_original_state', state);
+  }
   const baseUrl = encodeURIComponent(window.location.origin);
+  const stateParam = state ? `&state=${encodeURIComponent(state)}` : '';
+  const clientStateParam = state ? `&client_state=${encodeURIComponent(state)}` : '';
 
-  window.location.href = `/auth/openid/authorize?client_id=${clientId}&redirect_uri=${redirectUri}&base_url=${baseUrl}`;
+  window.location.href = `/auth/openid/authorize?client_id=${clientId}&redirect_uri=${redirectUri}&base_url=${baseUrl}${stateParam}${clientStateParam}`;
 }
 
 function ensure_openid_button(openIdText) {

custom_components/openid/consent_template.html

@@ -0,0 +1,159 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <meta charset="utf-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1" />
+    <title>Authorize Application - Home Assistant</title>
+    <style>
+      body {
+        font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, 'Helvetica Neue', Arial, sans-serif;
+        background-color: #f5f5f5;
+        display: flex;
+        justify-content: center;
+        align-items: center;
+        min-height: 100vh;
+        margin: 0;
+        padding: 20px;
+      }
+      .consent-card {
+        background: white;
+        border-radius: 8px;
+        box-shadow: 0 2px 8px rgba(0, 0, 0, 0.1);
+        max-width: 450px;
+        width: 100%;
+        padding: 32px;
+      }
+      h1 {
+        color: #333;
+        font-size: 24px;
+        margin: 0 0 8px 0;
+        font-weight: 500;
+      }
+      .subtitle {
+        color: #666;
+        font-size: 14px;
+        margin: 0 0 24px 0;
+      }
+      .client-info {
+        background: #f8f9fa;
+        border-left: 4px solid #03a9f4;
+        padding: 16px;
+        margin: 24px 0;
+        border-radius: 4px;
+      }
+      .client-info strong {
+        color: #333;
+        display: block;
+        margin-bottom: 4px;
+      }
+      .client-info code {
+        background: white;
+        padding: 2px 6px;
+        border-radius: 3px;
+        font-size: 13px;
+        color: #d32f2f;
+        word-break: break-all;
+      }
+      .permissions {
+        margin: 24px 0;
+      }
+      .permissions h2 {
+        font-size: 16px;
+        color: #333;
+        margin: 0 0 12px 0;
+        font-weight: 500;
+      }
+      .permissions ul {
+        list-style: none;
+        padding: 0;
+        margin: 0;
+      }
+      .permissions li {
+        padding: 8px 0 8px 28px;
+        position: relative;
+        color: #555;
+        font-size: 14px;
+      }
+      .permissions li:before {
+        content: '✓';
+        position: absolute;
+        left: 8px;
+        color: #4caf50;
+        font-weight: bold;
+      }
+      .actions {
+        display: flex;
+        gap: 12px;
+        margin-top: 32px;
+      }
+      button {
+        flex: 1;
+        padding: 12px 24px;
+        border: none;
+        border-radius: 4px;
+        font-size: 14px;
+        font-weight: 500;
+        cursor: pointer;
+        transition: all 0.2s;
+      }
+      .btn-authorize {
+        background: #03a9f4;
+        color: white;
+      }
+      .btn-authorize:hover {
+        background: #0288d1;
+      }
+      .btn-cancel {
+        background: #e0e0e0;
+        color: #333;
+      }
+      .btn-cancel:hover {
+        background: #bdbdbd;
+      }
+      .warning {
+        margin-top: 24px;
+        padding: 12px;
+        background: #fff3cd;
+        border-left: 4px solid #ffc107;
+        border-radius: 4px;
+        font-size: 13px;
+        color: #856404;
+      }
+    </style>
+  </head>
+  <body>
+    <div class="consent-card">
+      <h1>Authorize Application</h1>
+      <p class="subtitle">An application is requesting access to your Home Assistant instance</p>
+
+      <div class="client-info">
+        <strong>Application:</strong>
+        <code>$client_id</code>
+      </div>
+
+      <div class="permissions">
+        <h2>This application will be able to:</h2>
+        <ul>
+          <li>Access your Home Assistant account</li>
+          <li>Read your user profile information</li>
+          <li>Perform actions on your behalf</li>
+        </ul>
+      </div>
+
+      <div class="warning">Only authorize applications you trust. Make sure you recognize the application URL above.</div>
+
+      <form method="post" action="/auth/openid/consent">
+        <input type="hidden" name="state" value="$state" />
+        <input type="hidden" name="client_id" value="$client_id" />
+        <input type="hidden" name="redirect_uri" value="$redirect_uri" />
+        <input type="hidden" name="base_url" value="$base_url" />
+        $client_state_input
+
+        <div class="actions">
+          <button type="button" class="btn-cancel" onclick="window.location.href='$cancel_url'">Cancel</button>
+          <button type="submit" class="btn-authorize">Authorize</button>
+        </div>
+      </form>
+    </div>
+  </body>
+</html>

custom_components/openid/const.py

@@ -17,3 +17,8 @@
 CONF_USE_HEADER_AUTH = "use_header_auth"
 CONF_OPENID_TEXT = "openid_text"
 CONF_TRUSTED_IPS = "trusted_ips"
+CONF_LOGOUT_URL = "logout_url"
+
+CRED_ID_TOKEN = "openid_id_token"
+CRED_SESSION_STATE = "openid_session_state"
+CRED_LOGOUT_REDIRECT_URI = "openid_logout_redirect_uri"