Skip to content

Commit 389cd32

Browse files
RubenVerborghRubenVerborgh
committed
Allow logout requests from all third-party apps
1 parent e3050b9 commit 389cd32

File tree

1 file changed

+25
-16
lines changed

1 file changed

+25
-16
lines changed

lib/create-app.js

Lines changed: 25 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -168,23 +168,23 @@ function initWebId (argv, app, ldp) {
168168
// (for same-domain browsing by people only)
169169
const useSecureCookies = !!argv.sslKey // use secure cookies when over HTTPS
170170
const sessionHandler = session(sessionSettings(useSecureCookies, argv.host))
171+
app.use(sessionHandler)
172+
// Reject cookies from third-party applications.
173+
// Otherwise, when a user is logged in to their Solid server,
174+
// any third-party application could perform authenticated requests
175+
// without permission by including the credentials set by the Solid server.
171176
app.use((req, res, next) => {
172-
sessionHandler(req, res, () => {
173-
// Reject cookies from third-party applications.
174-
// Otherwise, when a user is logged in to their Solid server,
175-
// any third-party application could perform authenticated requests
176-
// without permission by including the credentials set by the Solid server.
177-
const origin = req.headers.origin
178-
const userId = req.session.userId
179-
if (!argv.host.allowsSessionFor(userId, origin)) {
180-
debug(`Rejecting session for ${userId} from ${origin}`)
181-
// Destroy session data
182-
delete req.session.userId
183-
// Ensure this modified session is not saved
184-
req.session.save = (done) => done()
185-
}
186-
next()
187-
})
177+
const origin = req.headers.origin
178+
const userId = req.session.userId
179+
// Exception: allow logout requests from all third-party apps
180+
if (!argv.host.allowsSessionFor(userId, origin) && !isLogoutRequest(req)) {
181+
debug(`Rejecting session for ${userId} from ${origin}`)
182+
// Destroy session data
183+
delete req.session.userId
184+
// Ensure this modified session is not saved
185+
req.session.save = (done) => done()
186+
}
187+
next()
188188
})
189189

190190
let accountManager = AccountManager.from({
@@ -209,6 +209,15 @@ function initWebId (argv, app, ldp) {
209209
}
210210
}
211211

212+
/**
213+
* Determines whether the given request is a logout request
214+
*/
215+
function isLogoutRequest (req) {
216+
// TODO: this is a hack that hard-codes OIDC paths,
217+
// this code should live in the OIDC module
218+
return req.path === '/logout' || req.path === '/goodbye'
219+
}
220+
212221
/**
213222
* Sets up authentication-related routes and handlers for the app.
214223
*

0 commit comments

Comments
 (0)