Centralize logout method; delete OIDC sessions on logout

app/controllers/api/v1/Auth.controller.js

@@ -725,8 +725,7 @@ class AuthController extends Controller {
         await this.activity.mfa_enable({ req })
 
         // invalidate existing tokens and other logins
-        const flitter = await this.auth.get_provider('flitter')
+        await req.user.logout(req)
-        await flitter.logout(req)
         await req.user.kickout()
 
         return res.api({success: true, mfa_enabled: req.user.mfa_enabled})
@@ -747,8 +746,7 @@ class AuthController extends Controller {
         await this.activity.mfa_disable({ req })
 
         // invalidate existing login tokens and logins
-        const flitter = await this.auth.get_provider('flitter')
+        await req.user.logout(req)
-        await flitter.logout(req)
         await req.user.kickout()
 
         return res.api({success: true, mfa_enabled: req.user.mfa_enabled})

app/controllers/api/v1/Password.controller.js

@@ -91,8 +91,7 @@ class PasswordController extends Controller {
         if ( req.trap.has_trap() && req.trap.get_trap() === 'password_reset' ) await req.trap.end()
 
         // invalidate existing tokens and other logins
-        const flitter = await this.auth.get_provider('flitter')
+        await req.user.logout(req)
-        await flitter.logout(req)
         await req.user.kickout()
         req.trust.unassume()
         return res.api()

app/controllers/saml/SAML.controller.js

@@ -19,7 +19,6 @@ class SAMLController extends Controller {
         })(req, res, next)
     }
 
-    // TODO some sort of first-logon flow
     async get_sso(req, res, next) {
         const index = await req.saml.participants.issue({ service_provider: req.saml_request.service_provider })
 
@@ -71,7 +70,7 @@ class SAMLController extends Controller {
                 this.output.info(`${req.T('saml.clear_idp_session')} ${req.user.uid}`)
                 req.saml.participants.clear().then(async () => {
                     if ( this.saml.config().slo.end_coreid_session ) {
-                        await req.user.get_provider().logout(req)
+                        await req.user.logout(req)
 
                         // show logout page
                         return this.Vue.auth_message(res, {

app/models/auth/User.model.js

@@ -154,6 +154,19 @@ class User extends AuthUser {
         return Group.find({ active: true, user_ids: this.id })
     }
 
+    async oidc_sessions() {
+        const Session = this.models.get('openid:Session')
+        return Session.find({ 'payload.account': this.id })
+    }
+
+    async logout(request) {
+        for ( const session of (await this.oidc_sessions()) ) {
+            await session.delete()
+        }
+
+        this.get_provider().logout(request)
+    }
+
     async to_ldap(iam_targets = []) {
         const Policy = this.models.get('iam:Policy')
 

app/models/openid/Session.model.js

@@ -0,0 +1,17 @@
+const { Model } = require('flitter-orm')
+
+class SessionModel extends Model {
+    static get services() {
+        return [...super.services, 'models']
+    }
+
+    static get schema() {
+        return {
+            payload: {
+                account: String,
+            },
+        }
+    }
+}
+
+module.exports = exports = SessionModel