From ff5ed6b39a285b851d2e433c0b5ac1ee44c58087 Mon Sep 17 00:00:00 2001 From: garrettmills Date: Sun, 23 Aug 2020 14:42:00 -0500 Subject: [PATCH] Centralize logout method; delete OIDC sessions on logout --- app/controllers/api/v1/Auth.controller.js | 6 ++---- app/controllers/api/v1/Password.controller.js | 3 +-- app/controllers/saml/SAML.controller.js | 3 +-- app/models/auth/User.model.js | 13 +++++++++++++ app/models/openid/Session.model.js | 17 +++++++++++++++++ 5 files changed, 34 insertions(+), 8 deletions(-) create mode 100644 app/models/openid/Session.model.js diff --git a/app/controllers/api/v1/Auth.controller.js b/app/controllers/api/v1/Auth.controller.js index b8bba7b..0d6dc9d 100644 --- a/app/controllers/api/v1/Auth.controller.js +++ b/app/controllers/api/v1/Auth.controller.js @@ -725,8 +725,7 @@ class AuthController extends Controller { await this.activity.mfa_enable({ req }) // invalidate existing tokens and other logins - const flitter = await this.auth.get_provider('flitter') - await flitter.logout(req) + await req.user.logout(req) await req.user.kickout() return res.api({success: true, mfa_enabled: req.user.mfa_enabled}) @@ -747,8 +746,7 @@ class AuthController extends Controller { await this.activity.mfa_disable({ req }) // invalidate existing login tokens and logins - const flitter = await this.auth.get_provider('flitter') - await flitter.logout(req) + await req.user.logout(req) await req.user.kickout() return res.api({success: true, mfa_enabled: req.user.mfa_enabled}) diff --git a/app/controllers/api/v1/Password.controller.js b/app/controllers/api/v1/Password.controller.js index ba3c29c..f9f172c 100644 --- a/app/controllers/api/v1/Password.controller.js +++ b/app/controllers/api/v1/Password.controller.js @@ -91,8 +91,7 @@ class PasswordController extends Controller { if ( req.trap.has_trap() && req.trap.get_trap() === 'password_reset' ) await req.trap.end() // invalidate existing tokens and other logins - const flitter = await this.auth.get_provider('flitter') - await flitter.logout(req) + await req.user.logout(req) await req.user.kickout() req.trust.unassume() return res.api() diff --git a/app/controllers/saml/SAML.controller.js b/app/controllers/saml/SAML.controller.js index b6c9808..0e8145c 100644 --- a/app/controllers/saml/SAML.controller.js +++ b/app/controllers/saml/SAML.controller.js @@ -19,7 +19,6 @@ class SAMLController extends Controller { })(req, res, next) } - // TODO some sort of first-logon flow async get_sso(req, res, next) { const index = await req.saml.participants.issue({ service_provider: req.saml_request.service_provider }) @@ -71,7 +70,7 @@ class SAMLController extends Controller { this.output.info(`${req.T('saml.clear_idp_session')} ${req.user.uid}`) req.saml.participants.clear().then(async () => { if ( this.saml.config().slo.end_coreid_session ) { - await req.user.get_provider().logout(req) + await req.user.logout(req) // show logout page return this.Vue.auth_message(res, { diff --git a/app/models/auth/User.model.js b/app/models/auth/User.model.js index 2f47fad..61b5b09 100644 --- a/app/models/auth/User.model.js +++ b/app/models/auth/User.model.js @@ -154,6 +154,19 @@ class User extends AuthUser { return Group.find({ active: true, user_ids: this.id }) } + async oidc_sessions() { + const Session = this.models.get('openid:Session') + return Session.find({ 'payload.account': this.id }) + } + + async logout(request) { + for ( const session of (await this.oidc_sessions()) ) { + await session.delete() + } + + this.get_provider().logout(request) + } + async to_ldap(iam_targets = []) { const Policy = this.models.get('iam:Policy') diff --git a/app/models/openid/Session.model.js b/app/models/openid/Session.model.js new file mode 100644 index 0000000..eef7289 --- /dev/null +++ b/app/models/openid/Session.model.js @@ -0,0 +1,17 @@ +const { Model } = require('flitter-orm') + +class SessionModel extends Model { + static get services() { + return [...super.services, 'models'] + } + + static get schema() { + return { + payload: { + account: String, + }, + } + } +} + +module.exports = exports = SessionModel