Allow logout requests from all third-party apps.

RubenVerborgh · RubenVerborgh · commit 0a48614be659 · 2018-10-02T23:50:37.000+02:00
diff --git a/lib/create-app.js b/lib/create-app.js
@@ -168,23 +168,27 @@ function initWebId (argv, app, ldp) {
   // (for same-domain browsing by people only)
   const useSecureCookies = !!argv.sslKey // use secure cookies when over HTTPS
   const sessionHandler = session(sessionSettings(useSecureCookies, argv.host))
+  app.use(sessionHandler)
+  // Reject cookies from third-party applications.
+  // Otherwise, when a user is logged in to their Solid server,
+  // any third-party application could perform authenticated requests
+  // without permission by including the credentials set by the Solid server.
   app.use((req, res, next) => {
-    sessionHandler(req, res, () => {
-      // Reject cookies from third-party applications.
-      // Otherwise, when a user is logged in to their Solid server,
-      // any third-party application could perform authenticated requests
-      // without permission by including the credentials set by the Solid server.
-      const origin = req.headers.origin
-      const userId = req.session.userId
-      if (!argv.host.allowsSessionFor(userId, origin)) {
-        debug(`Rejecting session for ${userId} from ${origin}`)
-        // Destroy session data
-        delete req.session.userId
-        // Ensure this modified session is not saved
-        req.session.save = (done) => done()
-      }
-      next()
-    })
+    const origin = req.headers.origin
+    const userId = req.session.userId
+    // Exception: allow logout requests from all third-party apps
+    // such that OIDC client can log out via cookie auth
+    // TODO: remove this exception when OIDC clients
+    // use Bearer token to authenticate instead of cookie
+    // (https://github.com/solid/node-solid-server/pull/835#issuecomment-426429003)
+    if (!argv.host.allowsSessionFor(userId, origin) && !isLogoutRequest(req)) {
+      debug(`Rejecting session for ${userId} from ${origin}`)
+      // Destroy session data
+      delete req.session.userId
+      // Ensure this modified session is not saved
+      req.session.save = (done) => done()
+    }
+    next()
   })
 
   let accountManager = AccountManager.from({
@@ -209,6 +213,15 @@ function initWebId (argv, app, ldp) {
   }
 }
 
+/**
+ * Determines whether the given request is a logout request
+ */
+function isLogoutRequest (req) {
+  // TODO: this is a hack that hard-codes OIDC paths,
+  // this code should live in the OIDC module
+  return req.path === '/logout' || req.path === '/goodbye'
+}
+
 /**
  * Sets up authentication-related routes and handlers for the app.
  *
