[post_logout] fix state etc using form (#690)

* add state field to html template and pass thgough for logout * Revert "add state field to html template and pass thgough for logout" This reverts commit 9c2c807. * use From for post_logout * try to get redirect from header location * redirect using custom header loc instead of LOCATION * redirect using LOCATION and status OK 200 * shorten code * use location.replace --------- Co-authored-by: local <[email protected]>
sebadob · Jan 13, 2025 · c0de5b6 · c0de5b6
1 parent 04e28c9
commit c0de5b6
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 7 deletions.
diff --git a/frontend/src/routes/oidc/logout/+page.svelte b/frontend/src/routes/oidc/logout/+page.svelte
@@ -46,9 +46,9 @@
 
     async function handleRes(res) {
         purgeStorage();
-        if (res.ok) {
-            window.location.href = res.headers.get('location');
-        } else {
+        if (res.ok && res.headers.get('location')) {
+            window.location.replace(res.headers.get('location'));
+        }else {
             await handleCancel();
         }
     }

diff --git a/frontend/src/utils/dataFetching.js b/frontend/src/utils/dataFetching.js
@@ -18,6 +18,13 @@ function getCsrfHeaders() {
     }
 }
 
+function getCsrfHeadersForm() {
+    return {
+        ...HEADERS.form,
+        'csrf-token': getCsrfToken(),
+    }
+}
+
 export async function authorize(data) {
     const res = await fetch('/auth/v1/oidc/authorize', {
         method: 'POST',
@@ -87,14 +94,14 @@ export async function getSessionInfoXsrf(accessToken) {
 }
 
 export async function logout(data) {
-    let body = new FormData();
+    let body = new URLSearchParams();
     for (let key in data) {
         body.append(key, data[key]);
     }
 
     return await fetch('/auth/v1/oidc/logout', {
         method: 'POST',
-        headers: getCsrfHeaders(),
+        headers: getCsrfHeadersForm(),
         body,
     });
 }

diff --git a/src/api/src/oidc.rs b/src/api/src/oidc.rs
@@ -656,7 +656,7 @@ pub async fn get_logout(
 )]
 #[post("/oidc/logout")]
 pub async fn post_logout(
-    Query(params): Query<LogoutRequest>,
+    Form(params): Form<LogoutRequest>,
     principal: ReqPrincipal,
 ) -> Result<HttpResponse, ErrorResponse> {
     let session = principal.get_session()?.clone();
@@ -683,7 +683,7 @@ pub async fn post_logout(
             params.post_logout_redirect_uri.as_ref().unwrap(),
             state
         );
-        return Ok(HttpResponse::build(StatusCode::MOVED_PERMANENTLY)
+        return Ok(HttpResponse::build(StatusCode::OK)
             .append_header((header::LOCATION, loc))
             .cookie(cookie)
             .cookie(cookie_fed_cm)