feat: handle oidc signout

Author: peppescg

src/app/catalog/page.tsx

@@ -1,18 +1,7 @@
-import { headers } from "next/headers";
-import { redirect } from "next/navigation";
-import { auth } from "@/lib/auth/auth";
 import { getServers } from "./actions";
 import { ServersWrapper } from "./components/servers-wrapper";
 
 export default async function CatalogPage() {
-  const session = await auth.api.getSession({
-    headers: await headers(),
-  });
-
-  if (!session) {
-    redirect("/signin");
-  }
-
   const servers = await getServers();
 
   return <ServersWrapper servers={servers} />;

src/lib/auth/__tests__/auth-client.test.ts

@@ -0,0 +1,125 @@
+import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
+import { clearRecordedRequests, server } from "@/mocks/node";
+import * as actions from "../actions";
+
+// Remove global mock of auth-client from vitest.setup.ts
+vi.unmock("@/lib/auth/auth-client");
+
+// Hoist mocks
+const mockAuthClientSignOut = vi.hoisted(() => vi.fn());
+const mockLocationReplace = vi.hoisted(() => vi.fn());
+
+// Mock Better Auth client
+vi.mock("better-auth/client/plugins", () => ({
+  genericOAuthClient: vi.fn(() => ({})),
+}));
+
+vi.mock("better-auth/react", () => ({
+  createAuthClient: vi.fn(() => ({
+    signIn: vi.fn(),
+    useSession: vi.fn(),
+    signOut: mockAuthClientSignOut,
+  })),
+}));
+
+// Mock window.location globally
+Object.defineProperty(globalThis, "window", {
+  value: {
+    location: {
+      replace: mockLocationReplace,
+    },
+  },
+  writable: true,
+  configurable: true,
+});
+
+describe("signOut", () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+    clearRecordedRequests();
+  });
+
+  afterEach(() => {
+    vi.restoreAllMocks();
+    server.resetHandlers();
+  });
+
+  it("calls getOidcSignOutUrl, clearOidcTokenAction, redirect, and authClient.signOut", async () => {
+    const oidcLogoutUrl = "https://okta.example.com/logout?id_token_hint=xxx";
+
+    // Spy on server actions
+    const getOidcSignOutUrlSpy = vi
+      .spyOn(actions, "getOidcSignOutUrl")
+      .mockResolvedValue(oidcLogoutUrl);
+    const clearOidcTokenActionSpy = vi
+      .spyOn(actions, "clearOidcTokenAction")
+      .mockResolvedValue(undefined);
+    mockAuthClientSignOut.mockResolvedValue(undefined);
+
+    const { signOut } = await import("../auth-client");
+
+    await signOut();
+
+    // Verify all functions were called
+    expect(getOidcSignOutUrlSpy).toHaveBeenCalledTimes(1);
+    expect(clearOidcTokenActionSpy).toHaveBeenCalledTimes(1);
+    expect(mockLocationReplace).toHaveBeenCalledWith(oidcLogoutUrl);
+    expect(mockAuthClientSignOut).toHaveBeenCalledTimes(1);
+  });
+
+  it("calls functions in correct order", async () => {
+    const callOrder: string[] = [];
+
+    vi.spyOn(actions, "getOidcSignOutUrl").mockImplementation(async () => {
+      callOrder.push("getOidcSignOutUrl");
+      return "https://okta.example.com/logout";
+    });
+
+    vi.spyOn(actions, "clearOidcTokenAction").mockImplementation(async () => {
+      callOrder.push("clearOidcTokenAction");
+    });
+
+    mockLocationReplace.mockImplementation(() => {
+      callOrder.push("window.location.replace");
+    });
+
+    mockAuthClientSignOut.mockImplementation(async () => {
+      callOrder.push("authClient.signOut");
+    });
+
+    const { signOut } = await import("../auth-client");
+
+    await signOut();
+
+    expect(callOrder).toEqual([
+      "getOidcSignOutUrl",
+      "clearOidcTokenAction",
+      "window.location.replace",
+      "authClient.signOut",
+    ]);
+  });
+
+  it("redirects to /signin on error", async () => {
+    vi.spyOn(actions, "getOidcSignOutUrl").mockRejectedValue(
+      new Error("Network error"),
+    );
+
+    const { signOut } = await import("../auth-client");
+
+    await signOut();
+
+    expect(mockLocationReplace).toHaveBeenCalledWith("/signin");
+  });
+
+  it("uses /signin as fallback when no OIDC URL", async () => {
+    vi.spyOn(actions, "getOidcSignOutUrl").mockResolvedValue("/signin");
+    vi.spyOn(actions, "clearOidcTokenAction").mockResolvedValue(undefined);
+    mockAuthClientSignOut.mockResolvedValue(undefined);
+
+    const { signOut } = await import("../auth-client");
+
+    await signOut();
+
+    expect(mockLocationReplace).toHaveBeenCalledWith("/signin");
+  });
+});

src/lib/auth/__tests__/auth.test.ts

@@ -82,9 +82,14 @@ describe("auth", () => {
 
     it("should return null when token is expired", async () => {
       const expiredTokenData: OidcTokenData = {
+        id: "expired-token-id",
+        createdAt: new Date(),
+        updatedAt: new Date(),
+        providerId: "provider-id",
+        accountId: "account-id",
         accessToken: "expired-token",
         userId: "user-123",
-        expiresAt: Date.now() - 1000, // Expired 1 second ago
+        accessTokenExpiresAt: Date.now() - 1000, // Expired 1 second ago
       };
 
       const encryptedPayload = await encrypt(
@@ -102,9 +107,14 @@ describe("auth", () => {
 
     it("should return null when token belongs to different user", async () => {
       const tokenData: OidcTokenData = {
+        id: "valid-token-id",
+        createdAt: new Date(),
+        updatedAt: new Date(),
+        providerId: "provider-id",
+        accountId: "account-id",
         accessToken: "valid-token",
         userId: "user-456", // Different user
-        expiresAt: Date.now() + 3600000,
+        accessTokenExpiresAt: Date.now() + 3600000,
       };
 
       const encryptedPayload = await encrypt(
@@ -120,9 +130,14 @@ describe("auth", () => {
 
     it("should return access token when valid", async () => {
       const tokenData: OidcTokenData = {
+        id: "valid-token-id",
+        createdAt: new Date(),
+        updatedAt: new Date(),
+        providerId: "provider-id",
+        accountId: "account-id",
         accessToken: "valid-access-token-123",
         userId: "user-123",
-        expiresAt: Date.now() + 3600000, // Valid for 1 hour
+        accessTokenExpiresAt: Date.now() + 3600000, // Valid for 1 hour
       };
 
       const encryptedPayload = await encrypt(
@@ -138,7 +153,7 @@ describe("auth", () => {
 
     it("should return null when token data is invalid", async () => {
       // Create invalid token data (missing required fields)
-      const invalidData = { accessToken: "token" }; // Missing userId and expiresAt
+      const invalidData = { accessToken: "token" }; // Missing userId and accessTokenExpiresAt
       const invalidPayload = await encrypt(
         invalidData as OidcTokenData,
         process.env.BETTER_AUTH_SECRET as string,
@@ -181,26 +196,36 @@ describe("auth", () => {
   describe("OidcTokenData Type Guard", () => {
     it("should validate correct OidcTokenData structure", () => {
       const validData: OidcTokenData = {
+        id: "valid-token-id",
+        createdAt: new Date(),
+        updatedAt: new Date(),
+        providerId: "provider-id",
+        accountId: "account-id",
         accessToken: "token",
         userId: "user-123",
-        expiresAt: Date.now() + 3600000,
+        accessTokenExpiresAt: Date.now() + 3600000,
         refreshToken: "refresh-token",
       };
 
       // Type guard is private, so we test indirectly through getOidcProviderAccessToken
       expect(validData).toHaveProperty("accessToken");
       expect(validData).toHaveProperty("userId");
-      expect(validData).toHaveProperty("expiresAt");
+      expect(validData).toHaveProperty("accessTokenExpiresAt");
       expect(typeof validData.accessToken).toBe("string");
       expect(typeof validData.userId).toBe("string");
-      expect(typeof validData.expiresAt).toBe("number");
+      expect(typeof validData.accessTokenExpiresAt).toBe("number");
     });
 
     it("should handle optional refreshToken", () => {
       const dataWithoutRefresh: OidcTokenData = {
+        id: "valid-token-id",
+        createdAt: new Date(),
+        updatedAt: new Date(),
+        providerId: "provider-id",
+        accountId: "account-id",
         accessToken: "token",
         userId: "user-123",
-        expiresAt: Date.now() + 3600000,
+        accessTokenExpiresAt: Date.now() + 3600000,
       };
 
       expect(dataWithoutRefresh.refreshToken).toBeUndefined();

src/lib/auth/__tests__/token.test.ts

@@ -79,9 +79,14 @@ describe("token", () => {
     it("should return existing token if still valid", async () => {
       const userId = "user-123";
       const tokenData: OidcTokenData = {
+        id: "valid-token-id",
+        createdAt: new Date(),
+        updatedAt: new Date(),
+        providerId: "provider-id",
+        accountId: "account-id",
         accessToken: "valid-access-token",
         userId,
-        expiresAt: Date.now() + 3600000, // Valid for 1 hour
+        accessTokenExpiresAt: Date.now() + 3600000, // Valid for 1 hour
       };
 
       const encryptedPayload = await encrypt(
@@ -100,9 +105,14 @@ describe("token", () => {
     it("should refresh token if expired", async () => {
       const userId = "user-123";
       const expiredTokenData: OidcTokenData = {
+        id: "expired-token-id",
+        createdAt: new Date(),
+        updatedAt: new Date(),
+        providerId: "provider-id",
+        accountId: "account-id",
         accessToken: "expired-access-token",
         userId,
-        expiresAt: Date.now() - 1000, // Expired 1 second ago
+        accessTokenExpiresAt: Date.now() - 1000, // Expired 1 second ago
       };
 
       const encryptedPayload = await encrypt(
@@ -149,9 +159,14 @@ describe("token", () => {
     it("should return null if refresh API returns invalid response", async () => {
       const userId = "user-123";
       const expiredTokenData: OidcTokenData = {
+        id: "expired-token-id",
+        createdAt: new Date(),
+        updatedAt: new Date(),
+        providerId: "provider-id",
+        accountId: "account-id",
         accessToken: "expired-token",
         userId,
-        expiresAt: Date.now() - 1000,
+        accessTokenExpiresAt: Date.now() - 1000,
       };
 
       const encryptedPayload = await encrypt(
@@ -177,9 +192,14 @@ describe("token", () => {
     it("should handle network errors during refresh", async () => {
       const userId = "user-123";
       const expiredTokenData: OidcTokenData = {
+        id: "expired-token-id",
+        createdAt: new Date(),
+        updatedAt: new Date(),
+        providerId: "provider-id",
+        accountId: "account-id",
         accessToken: "expired-token",
         userId,
-        expiresAt: Date.now() - 1000,
+        accessTokenExpiresAt: Date.now() - 1000,
       };
 
       const encryptedPayload = await encrypt(
@@ -288,10 +308,15 @@ describe("token", () => {
     it("should handle complete refresh flow end-to-end", async () => {
       const userId = "user-123";
       const expiredTokenData: OidcTokenData = {
+        id: "expired-token-id",
+        createdAt: new Date(),
+        updatedAt: new Date(),
+        providerId: "provider-id",
+        accountId: "account-id",
         accessToken: "expired-token",
         refreshToken: "valid-refresh-token",
         userId,
-        expiresAt: Date.now() - 1000,
+        accessTokenExpiresAt: Date.now() - 1000,
         refreshTokenExpiresAt: Date.now() + 86400000,
       };
 

src/lib/auth/actions.ts

@@ -0,0 +1,57 @@
+"use server";
+
+import { headers } from "next/headers";
+import {
+  auth,
+  clearOidcProviderToken,
+  getOidcDiscovery,
+} from "@/lib/auth/auth";
+import { BASE_URL } from "@/lib/auth/constants";
+import { getOidcIdToken } from "@/lib/auth/utils";
+
+/**
+ * Server action to clear OIDC token cookie on sign out.
+ */
+export async function clearOidcTokenAction(): Promise<void> {
+  await clearOidcProviderToken();
+}
+
+/**
+ * Server action to build the OIDC logout URL for RP-Initiated Logout.
+ * Returns the OIDC provider's logout URL, or "/signin" as fallback.
+ */
+export async function getOidcSignOutUrl(): Promise<string> {
+  try {
+    const session = await auth.api.getSession({
+      headers: await headers(),
+    });
+
+    if (!session?.user?.id) {
+      console.warn("[Auth] No active session for logout");
+      return "/signin";
+    }
+
+    const discovery = await getOidcDiscovery();
+
+    if (!discovery?.endSessionEndpoint) {
+      console.error("[Auth] OIDC end_session_endpoint not available");
+      return "/signin";
+    }
+
+    const idToken = await getOidcIdToken(session.user.id);
+
+    if (!idToken) {
+      console.warn("[Auth] No idToken found for OIDC logout");
+      return "/signin";
+    }
+
+    const url = new URL(discovery.endSessionEndpoint);
+    url.searchParams.set("id_token_hint", idToken);
+    url.searchParams.set("post_logout_redirect_uri", `${BASE_URL}/signin`);
+
+    return url.toString();
+  } catch (error) {
+    console.error("[Auth] Error building OIDC logout URL:", error);
+    return "/signin";
+  }
+}