UNPKG

@quarks/quarks-iam

Version:

A modern authorization server built to authenticate your users and protect your APIs

github.com/anvilresearch/connect

anvilresearch/connect

77 lines (72 loc) 2.55 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
/** * Module dependencies */ var authenticator = require('../lib/authenticator') var settings = require('../boot/settings') var Client = require('../models/Client') var IDToken = require('../models/IDToken') /** * Handles signout requests (GETs or POSTs to the /signout endpoint) and ends a * user's session. If an ID Token hint and a post-signout URI are provided, * verifies that the URI has been pre-registered, signs out, and redirects the * user to it. Otherwise, just signs out with no redirect. * @method signout * @param [req.query.id_token_hint] {String} * @param [req.body.id_token_hint] {String} Id Token hint, identifies the * client/user * @param [req.query.post_logout_redirect_uri] {String} * @param [req.body.post_logout_redirect_uri] {String} If specified, this * handler verifies that the uri was pre-registered, and sends a redirect to * it via an HTTP 303 See Other response. * @param [req.query.state] {String} * @param [req.body.state] {String} Opaque OIDC state parameter */ function signout (req, res, next) { var idToken, clientId var params = req.query || req.body var postLogoutUri = params.post_logout_redirect_uri var idHint = params.id_token_hint var state = params.state if (idHint) { idToken = IDToken.decode(idHint, settings.keys.sig.pub) if (idToken instanceof Error) { return next(idToken) } clientId = idToken.payload.aud } authenticator.logout(req) if (clientId && postLogoutUri) { // Verify the post-signout uri (must have been registered for this client) return Client.get(clientId, function (err, client) { if (err) { return next(err) } var isValidUri = false if (client) { var registeredUris = client.post_logout_redirect_uris isValidUri = registeredUris && (registeredUris.indexOf(postLogoutUri) !== -1) } if (isValidUri) { if (state) { postLogoutUri += '?state=' + state } // sign out and redirect return res.redirect(303, postLogoutUri) } // Otherwise, fall through to default case below return emptyresponse(res) }) } // Handle all the other cases - no postLogoutUri specified, or the client is // unknown, or the given postLogoutUri has not been registered previously. // Do not redirect, simply sign out return emptyresponse(res) } function emptyresponse (res) { res.set({ 'Cache-Control': 'no-store', 'Pragma': 'no-cache' }) return res.sendStatus(204) } /** * Export */ module.exports = signout