Centralize logout method; delete OIDC sessions on logout

2020-08-23 14:42:00 -05:00 · 2020-08-23 14:42:00 -05:00 · ff5ed6b39a
commit ff5ed6b39a
parent d9c76e8dde
5 changed files with 34 additions and 8 deletions
--- a/app/controllers/api/v1/Auth.controller.js
+++ b/app/controllers/api/v1/Auth.controller.js
@ -725,8 +725,7 @@ class AuthController extends Controller {
        await this.activity.mfa_enable({ req })

        // invalidate existing tokens and other logins
-        const flitter = await this.auth.get_provider('flitter')
-        await flitter.logout(req)
+        await req.user.logout(req)
        await req.user.kickout()

        return res.api({success: true, mfa_enabled: req.user.mfa_enabled})
@ -747,8 +746,7 @@ class AuthController extends Controller {
        await this.activity.mfa_disable({ req })

        // invalidate existing login tokens and logins
-        const flitter = await this.auth.get_provider('flitter')
-        await flitter.logout(req)
+        await req.user.logout(req)
        await req.user.kickout()

        return res.api({success: true, mfa_enabled: req.user.mfa_enabled})
--- a/app/controllers/api/v1/Password.controller.js
+++ b/app/controllers/api/v1/Password.controller.js
@ -91,8 +91,7 @@ class PasswordController extends Controller {
        if ( req.trap.has_trap() && req.trap.get_trap() === 'password_reset' ) await req.trap.end()

        // invalidate existing tokens and other logins
-        const flitter = await this.auth.get_provider('flitter')
-        await flitter.logout(req)
+        await req.user.logout(req)
        await req.user.kickout()
        req.trust.unassume()
        return res.api()
--- a/app/controllers/saml/SAML.controller.js
+++ b/app/controllers/saml/SAML.controller.js
@ -19,7 +19,6 @@ class SAMLController extends Controller {
        })(req, res, next)
    }

-    // TODO some sort of first-logon flow
    async get_sso(req, res, next) {
        const index = await req.saml.participants.issue({ service_provider: req.saml_request.service_provider })

@ -71,7 +70,7 @@ class SAMLController extends Controller {
                this.output.info(`${req.T('saml.clear_idp_session')} ${req.user.uid}`)
                req.saml.participants.clear().then(async () => {
                    if ( this.saml.config().slo.end_coreid_session ) {
-                        await req.user.get_provider().logout(req)
+                        await req.user.logout(req)

                        // show logout page
                        return this.Vue.auth_message(res, {
--- a/app/models/auth/User.model.js
+++ b/app/models/auth/User.model.js
@ -154,6 +154,19 @@ class User extends AuthUser {
        return Group.find({ active: true, user_ids: this.id })
    }

+    async oidc_sessions() {
+        const Session = this.models.get('openid:Session')
+        return Session.find({ 'payload.account': this.id })
+    }
+
+    async logout(request) {
+        for ( const session of (await this.oidc_sessions()) ) {
+            await session.delete()
+        }
+
+        this.get_provider().logout(request)
+    }
+
    async to_ldap(iam_targets = []) {
        const Policy = this.models.get('iam:Policy')

--- a/app/models/openid/Session.model.js
+++ b/app/models/openid/Session.model.js
@ -0,0 +1,17 @@
+const { Model } = require('flitter-orm')
+
+class SessionModel extends Model {
+    static get services() {
+        return [...super.services, 'models']
+    }
+
+    static get schema() {
+        return {
+            payload: {
+                account: String,
+            },
+        }
+    }
+}
+
+module.exports = exports = SessionModel