Centralize logout method; delete OIDC sessions on logout

This commit is contained in:
Garrett Mills 2020-08-23 14:42:00 -05:00
parent d9c76e8dde
commit ff5ed6b39a
Signed by: garrettmills
GPG Key ID: D2BF5FBA8298F246
5 changed files with 34 additions and 8 deletions

View File

@ -725,8 +725,7 @@ class AuthController extends Controller {
await this.activity.mfa_enable({ req }) await this.activity.mfa_enable({ req })
// invalidate existing tokens and other logins // invalidate existing tokens and other logins
const flitter = await this.auth.get_provider('flitter') await req.user.logout(req)
await flitter.logout(req)
await req.user.kickout() await req.user.kickout()
return res.api({success: true, mfa_enabled: req.user.mfa_enabled}) return res.api({success: true, mfa_enabled: req.user.mfa_enabled})
@ -747,8 +746,7 @@ class AuthController extends Controller {
await this.activity.mfa_disable({ req }) await this.activity.mfa_disable({ req })
// invalidate existing login tokens and logins // invalidate existing login tokens and logins
const flitter = await this.auth.get_provider('flitter') await req.user.logout(req)
await flitter.logout(req)
await req.user.kickout() await req.user.kickout()
return res.api({success: true, mfa_enabled: req.user.mfa_enabled}) return res.api({success: true, mfa_enabled: req.user.mfa_enabled})

View File

@ -91,8 +91,7 @@ class PasswordController extends Controller {
if ( req.trap.has_trap() && req.trap.get_trap() === 'password_reset' ) await req.trap.end() if ( req.trap.has_trap() && req.trap.get_trap() === 'password_reset' ) await req.trap.end()
// invalidate existing tokens and other logins // invalidate existing tokens and other logins
const flitter = await this.auth.get_provider('flitter') await req.user.logout(req)
await flitter.logout(req)
await req.user.kickout() await req.user.kickout()
req.trust.unassume() req.trust.unassume()
return res.api() return res.api()

View File

@ -19,7 +19,6 @@ class SAMLController extends Controller {
})(req, res, next) })(req, res, next)
} }
// TODO some sort of first-logon flow
async get_sso(req, res, next) { async get_sso(req, res, next) {
const index = await req.saml.participants.issue({ service_provider: req.saml_request.service_provider }) const index = await req.saml.participants.issue({ service_provider: req.saml_request.service_provider })
@ -71,7 +70,7 @@ class SAMLController extends Controller {
this.output.info(`${req.T('saml.clear_idp_session')} ${req.user.uid}`) this.output.info(`${req.T('saml.clear_idp_session')} ${req.user.uid}`)
req.saml.participants.clear().then(async () => { req.saml.participants.clear().then(async () => {
if ( this.saml.config().slo.end_coreid_session ) { if ( this.saml.config().slo.end_coreid_session ) {
await req.user.get_provider().logout(req) await req.user.logout(req)
// show logout page // show logout page
return this.Vue.auth_message(res, { return this.Vue.auth_message(res, {

View File

@ -154,6 +154,19 @@ class User extends AuthUser {
return Group.find({ active: true, user_ids: this.id }) return Group.find({ active: true, user_ids: this.id })
} }
async oidc_sessions() {
const Session = this.models.get('openid:Session')
return Session.find({ 'payload.account': this.id })
}
async logout(request) {
for ( const session of (await this.oidc_sessions()) ) {
await session.delete()
}
this.get_provider().logout(request)
}
async to_ldap(iam_targets = []) { async to_ldap(iam_targets = []) {
const Policy = this.models.get('iam:Policy') const Policy = this.models.get('iam:Policy')

View File

@ -0,0 +1,17 @@
const { Model } = require('flitter-orm')
class SessionModel extends Model {
static get services() {
return [...super.services, 'models']
}
static get schema() {
return {
payload: {
account: String,
},
}
}
}
module.exports = exports = SessionModel