pFad - Phone/Frame/Anonymizer/Declutterfier! Saves Data!


--- a PPN by Garber Painting Akron. With Image Size Reduction included!

URL: http://github.com/Drop-OSS/drop/commit/f04daf0388c2081f1f660d143590391a1dd121d4

b69241e157469407.css" /> Add ODIC Back-Channel Logout (#304) · Drop-OSS/drop@f04daf0 · GitHub
Skip to content

Commit f04daf0

Browse files
Huskydog9988Huskydog9988
authored
Add ODIC Back-Channel Logout (#304)
* prevent returning expired sessions * add issuer to ODIC creds * get id token in ODIC * make session signin return session * working backchannel logout? * require https for ODIC provider * handle wellknown not being https * find session api progress * fix windows build * return session token on session * switch OIDC to #searchSessions * update pnpm * switch to using message on error obj * move odic callback * fix type errors * redirect old oidc callback * make redirect url a URL * remove scheduled task downloadCleanup * fix session search for oidc * fix signin result * cleanup code * ignore data dir * fix lint error
1 parent 2967e43 commit f04daf0

File tree

18 files changed

+709
-114
lines changed

18 files changed

+709
-114
lines changed

.prettierignore

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3,3 +3,5 @@ drop-base/
33
pnpm-lock.yaml
44

55
torrential/
6+
.data/**
7+
**/.data/**

eslint.config.mjs

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,10 +1,13 @@
11
// @ts-check
2+
import { globalIgnores } from "eslint/config";
23
import withNuxt from "./.nuxt/eslint.config.mjs";
34
import eslintConfigPrettier from "eslint-config-prettier/flat";
45
import vueI18n from "@intlify/eslint-plugin-vue-i18n";
56
import noPrismaDelete from "./rules/no-prisma-delete.mts";
67

78
export default withNuxt([
9+
globalIgnores([".data/*"]),
10+
811
eslintConfigPrettier,
912

1013
// vue-i18n plugin

nuxt.config.ts

Lines changed: 8 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,8 @@ import tailwindcss from "@tailwindcss/vite";
22
import { execSync } from "node:child_process";
33
import { readFileSync, existsSync } from "node:fs";
44
import path from "node:path";
5-
import module from "module";
5+
import module from "node:module";
6+
import { fileURLToPath } from "node:url";
67
import { type } from "arktype";
78

89
const packageJsonSchema = type({
@@ -91,6 +92,11 @@ export default defineNuxtConfig({
9192

9293
routeRules: {
9394
"/api/**": { cors: true },
95+
96+
// redirect old OIDC callback route
97+
"/auth/callback/oidc": {
98+
redirect: "/api/v1/auth/odic/callback",
99+
},
94100
},
95101

96102
nitro: {
@@ -116,7 +122,6 @@ export default defineNuxtConfig({
116122

117123
scheduledTasks: {
118124
"0 * * * *": ["dailyTasks"],
119-
"*/30 * * * *": ["downloadCleanup"],
120125
},
121126

122127
storage: {
@@ -266,11 +271,7 @@ function getDropVersion(): string {
266271
// example nightly: "v0.3.0-nightly.2025.05.28"
267272
const defaultVersion = "v0.0.0-alpha.0";
268273

269-
// get path
270-
const packageJsonPath = path.join(
271-
path.dirname(import.meta.url.replace("file://", "")),
272-
"package.json",
273-
);
274+
const packageJsonPath = fileURLToPath(import.meta.resolve("./package.json"));
274275

275276
if (!existsSync(packageJsonPath)) {
276277
console.error("Could not find package.json, using default version.");

package.json

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -44,6 +44,7 @@
4444
"file-type-mime": "^0.4.3",
4545
"jdenticon": "^3.3.0",
4646
"kjua": "^0.10.0",
47+
"jose": "^6.1.3",
4748
"luxon": "^3.6.1",
4849
"micromark": "^4.0.1",
4950
"normalize-url": "^8.0.2",
@@ -93,5 +94,5 @@
9394
"vue3-carousel": "^0.16.0"
9495
}
9596
},
96-
"packageManager": "pnpm@10.15.0+sha512.486ebc259d3e999a4e8691ce03b5cac4a71cbeca39372a9b762cb500cfdf0873e2cb16abe3d951b1ee2cf012503f027b98b6584e4df22524e0c7450d9ec7aa7b"
97+
"packageManager": "pnpm@10.27.0+sha512.72d699da16b1179c14ba9e64dc71c9a40988cbdc65c264cb0e489db7de917f20dcf4d64d8723625f2969ba52d4b7e2a1170682d9ac2a5dcaeaab732b7e16f04a"
9798
}

pnpm-lock.yaml

Lines changed: 8 additions & 3 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

pnpm-workspace.yaml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -9,7 +9,7 @@ onlyBuiltDependencies:
99
- sharp
1010
- unrs-resolver
1111

12-
overrides:
13-
droplet: link:../../.local/share/pnpm/global/5/node_modules/@drop-oss/droplet
12+
# overrides:
13+
# droplet: link:../../.local/share/pnpm/global/5/node_modules/@drop-oss/droplet
1414

1515
shamefullyHoist: true

server/routes/auth/callback/oidc.get.ts renamed to server/api/v1/auth/odic/callback.get.ts

Lines changed: 17 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,15 +1,19 @@
11
import sessionHandler from "~/server/internal/session";
22
import authManager from "~/server/internal/auth";
3+
import type { Session } from "~/server/internal/session/types";
34

45
defineRouteMeta({
56
openAPI: {
6-
tags: ["Auth"],
7+
tags: ["Auth", "OIDC"],
78
description: "OIDC Signin callback",
89
parameters: [],
910
},
1011
});
1112

1213
export default defineEventHandler(async (h3) => {
14+
// dont cache login responses
15+
setHeader(h3, "Cache-Control", "no-store");
16+
1317
const enabledAuthManagers = authManager.getAuthProviders();
1418
if (!enabledAuthManagers.OpenID) return sendRedirect(h3, "/auth/signin");
1519

@@ -38,11 +42,20 @@ export default defineEventHandler(async (h3) => {
3842
statusMessage: `Failed to sign in: "${result}". Please try again.`,
3943
});
4044

41-
const sessionResult = await sessionHandler.signin(h3, result.user.id, true);
45+
// Attach OIDC session data
46+
const oidcData: Session["oidc"] = {
47+
iss: result.claims.iss,
48+
};
49+
if (result.claims.sub) oidcData.sub = result.claims.sub;
50+
if (result.claims.sid) oidcData.sid = result.claims.sid;
51+
52+
const sessionResult = await sessionHandler.signin(h3, result.user.id, {
53+
rememberMe: true,
54+
oidc: oidcData,
55+
});
4256
if (sessionResult == "fail")
4357
throw createError({ statusCode: 500, message: "Failed to set session" });
44-
45-
if (sessionResult == "2fa") {
58+
else if (sessionResult == "2fa") {
4659
return sendRedirect(
4760
h3,
4861
`/auth/mfa?redirect=${result.options.redirect ? encodeURIComponent(result.options.redirect) : "/"}`,

server/api/v1/auth/odic/logout.post.ts

Lines changed: 46 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,46 @@
1+
// import sessionHandler from "~/server/internal/session";
2+
import authManager from "~/server/internal/auth";
3+
4+
defineRouteMeta({
5+
openAPI: {
6+
tags: ["Auth", "OIDC"],
7+
description: "OIDC logout back-channel",
8+
parameters: [],
9+
},
10+
});
11+
12+
export default defineEventHandler(async (h3) => {
13+
// dont cache logout responses
14+
setHeader(h3, "Cache-Control", "no-store");
15+
16+
const enabledAuthManagers = authManager.getAuthProviders();
17+
if (!enabledAuthManagers.OpenID)
18+
throw createError({
19+
statusCode: 400,
20+
message: "OIDC not enabled.",
21+
});
22+
23+
const logout_token = (await readFormData(h3)).get("logout_token");
24+
if (typeof logout_token !== "string")
25+
throw createError({
26+
statusCode: 400,
27+
message: "Invalid OIDC logout notification.",
28+
});
29+
const okay = await enabledAuthManagers.OpenID.handleLogout(logout_token);
30+
if (!okay) {
31+
throw createError({
32+
statusCode: 400,
33+
message: "Invalid OIDC logout notification.",
34+
});
35+
}
36+
37+
// const result = OIDCLogoutTokenV1(logout_token);
38+
39+
// const manager = enabledAuthManagers.OpenID;
40+
41+
// const query = getQuery(h3);
42+
43+
return {
44+
success: true,
45+
};
46+
});

server/api/v1/auth/passkey/finish.post.ts

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -98,7 +98,9 @@ export default defineEventHandler(async (h3) => {
9898
},
9999
});
100100

101-
await sessionHandler.signin(h3, mfaMec.userId, true);
101+
await sessionHandler.signin(h3, mfaMec.userId, {
102+
rememberMe: true,
103+
});
102104
await sessionHandler.mfa(h3, 10);
103105

104106
return {};

server/api/v1/auth/signin/simple.post.ts

Lines changed: 8 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -84,17 +84,16 @@ export default defineEventHandler<{
8484
});
8585

8686
// TODO: send user to forgot password screen or something to force them to change their password to new system
87-
const result = await sessionHandler.signin(
88-
h3,
89-
authMek.userId,
90-
body.rememberMe,
91-
);
87+
const result = await sessionHandler.signin(h3, authMek.userId, {
88+
rememberMe: body.rememberMe ?? false,
89+
});
9290
if (result === "fail")
9391
throw createError({
9492
statusCode: 500,
9593
message: "Failed to create session",
9694
});
97-
return { userId: authMek.userId, result };
95+
96+
return { result: result, userId: authMek.userId };
9897
}
9998

10099
// V2: argon2
@@ -111,11 +110,9 @@ export default defineEventHandler<{
111110
statusMessage: t("errors.auth.invalidUserOrPass"),
112111
});
113112

114-
const result = await sessionHandler.signin(
115-
h3,
116-
authMek.userId,
117-
body.rememberMe,
118-
);
113+
const result = await sessionHandler.signin(h3, authMek.userId, {
114+
rememberMe: body.rememberMe ?? false,
115+
});
119116
if (result == "fail")
120117
throw createError({ statusCode: 500, message: "Failed to create session" });
121118
return { userId: authMek.userId, result };

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad © 2024 Your Company Name. All rights reserved.




Check this box to remove all script contents from the fetched content.



Check this box to remove all images from the fetched content.


Check this box to remove all CSS styles from the fetched content.


Check this box to keep images inefficiently compressed and original size.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy