Ronni Baslund
955357a91a
ci / typecheck (map[dir:apps/booking name:booking]) (push) Has been cancelled
ci / typecheck (map[dir:apps/portal name:portal]) (push) Has been cancelled
ci / typecheck (map[dir:apps/website name:website]) (push) Has been cancelled
ci / typecheck (map[dir:services/platform-api name:platform-api]) (push) Has been cancelled
ci / test (push) Has been cancelled
The apps were wired for the dev (.local) environment. Drive the base URLs from env so one build serves dev and prod (.eu): - portal nuxt.config: OIDC authorization/token/userinfo/discovery URLs + redirectUri now derive from NUXT_PUBLIC_AUTH_URL / NUXT_PUBLIC_PORTAL_URL (+ PORTAL_OIDC_APP_SLUG); .local defaults keep dev working with no env. - portal sign-out handler: end-session + post-logout URLs env-driven. - portal scheduling page: booking base/host from runtimeConfig.public.bookingUrl (NUXT_PUBLIC_BOOKING_URL). - platform-api: tenant mail domain suffix from PLATFORM_TENANT_DOMAIN (dezky.eu in prod), defaulting to dezky.local. (booking needs no change — its only .local ref is the dev-server allowedHosts.)
49 lines
2.4 KiB
TypeScript
49 lines
2.4 KiB
TypeScript
// Sign-out. Ends both the portal session and the Authentik IdP session so
|
|
// "Sign in again" always requires fresh credentials — even for the next
|
|
// person at the same browser.
|
|
//
|
|
// Flow:
|
|
// 1. Read the id_token off the local session (needed as id_token_hint).
|
|
// 2. Clear the local nuxt-oidc-auth session (cookie + persistent store).
|
|
// 3. 302 the BROWSER to Authentik's end-session endpoint with
|
|
// post_logout_redirect_uri=/signed-out.
|
|
//
|
|
// Why the browser redirect (not server-to-server):
|
|
// Authentik's session cookie lives on auth.dezky.local. Only a response
|
|
// FROM that host can set/clear it — a server-side fetch invalidates the
|
|
// session record but leaves the browser cookie intact, so the next OIDC
|
|
// authorize succeeds silently. A 302 through Authentik fixes that: the
|
|
// browser visits auth.dezky.local, receives Set-Cookie clearing the
|
|
// session, then bounces back to /signed-out (the URL is in the provider's
|
|
// redirect_uris list — see infrastructure setup).
|
|
//
|
|
// The brief URL-bar flash through auth.dezky.local is acceptable: no
|
|
// Authentik UI renders (it's a redirect chain), and the Traefik middleware
|
|
// on the authentik service would catch any stray landing on the dashboard
|
|
// anyway.
|
|
|
|
import { getUserSession, clearUserSession } from 'nuxt-oidc-auth/runtime/server/utils/session.js'
|
|
|
|
// Environment-driven so one build serves dev (.local) and prod (.eu). The
|
|
// public runtime config carries authUrl/portalUrl (NUXT_PUBLIC_AUTH_URL /
|
|
// NUXT_PUBLIC_PORTAL_URL); fall back to the dev hosts.
|
|
const AUTH_URL = (process.env.NUXT_PUBLIC_AUTH_URL || 'https://auth.dezky.local').replace(/\/$/, '')
|
|
const PORTAL_URL = (process.env.NUXT_PUBLIC_PORTAL_URL || 'https://app.dezky.local').replace(/\/$/, '')
|
|
const OIDC_APP_SLUG = process.env.PORTAL_OIDC_APP_SLUG || 'dezky-portal'
|
|
const END_SESSION = `${AUTH_URL}/application/o/${OIDC_APP_SLUG}/end-session/`
|
|
const POST_LOGOUT_REDIRECT = `${PORTAL_URL}/signed-out`
|
|
|
|
export default defineEventHandler(async (event) => {
|
|
const session = await getUserSession(event).catch(() => ({} as any))
|
|
const idToken: string | undefined = (session as any).idToken
|
|
|
|
await clearUserSession(event).catch(() => {})
|
|
|
|
const params = new URLSearchParams({
|
|
post_logout_redirect_uri: POST_LOGOUT_REDIRECT,
|
|
...(idToken && { id_token_hint: idToken }),
|
|
})
|
|
|
|
return sendRedirect(event, `${END_SESSION}?${params.toString()}`, 302)
|
|
})
|