Cleanup for postLogoutRedirectUri, authorizationParams

auth0 · Jan 23, 2020 · 44894ce · 44894ce
1 parent 5b274f4
commit 44894ce
Show file tree

Hide file tree

Showing 4 changed files with 22 additions and 24 deletions.
diff --git a/API.md b/API.md
@@ -37,14 +37,14 @@ Additional configuration keys that can be passed to `auth()` on initialization:
 - **`legacySameSiteCookie`** - Set a fallback cookie with no SameSite attribute when `authorizationParams.response_mode` is `form_post`. Default is `true`.
 - **`loginPath`** - Relative path to application login. Default is `/login`.
 - **`logoutPath`** - Relative path to application logout. Default is `/logout`.
+- **`postLogoutRedirectUri`** - Either a relative path to the application or a valid URI to an external domain. The user will be redirected to this after a logout has been performed. This value must be registered at the authorization server/ Default is `baseUrl`.
 - **`redirectUriPath`** - Relative path to the application callback to process the response from the authorization server. This value is combined with the `baseUrl` and sent to the authorize endpoint as the `redirectUri` parameter. Default is `/callback`.
-- **`postLogoutRedirectUri`** - Either a relative path to the application or a valid URI to an external domain. The user will be redirected to this after a logout has been performed. Default is `baseUrl`.
 - **`required`** - Use a boolean value to require authentication for all routes. Pass a function instead to base this value on the request. Default is `true`.
 - **`routes`** - Boolean value to automatically install the login and logout routes. See [the examples](EXAMPLES.md) for more information on how this key is used. Default is `true`.
 
 ### Authorization Params Key
 
-The `authorizationParams` key defines the URL parameters used when redirecting users to the authorization server to log in. If this key is not provided by your application, its default value will be:
+The `authorizationParams` key defines the URL parameters used when redirecting users to the authorization server to log in. If this key is not provided by your application, its default values will be:
 
 ```js
 {
@@ -54,7 +54,7 @@ The `authorizationParams` key defines the URL parameters used when redirecting u
 }
 ```
 
-A new object can be passed in to change what is returned from the authorization server depending on your specific scenario.
+New values can be passed in to change what is returned from the authorization server depending on your specific scenario.
 
 For example, to receive an access token for an API, you could initialize like the sample below. Note that `response_mode` can be omitted because the OAuth2 default mode of `query` is fine:
 

diff --git a/index.d.ts b/index.d.ts
@@ -24,6 +24,7 @@ interface ConfigParams {
 
     /**
      * REQUIRED. The secret(s) used to derive an encryption key for the user identity in a session cookie.
+     * Use a single string key or array of keys for an encrypted session cookie or false to skip.
      * Can use env key APP_SESSION_SECRET instead.
      */
     appSessionSecret?: boolean | string | string[];
@@ -119,16 +120,16 @@ interface ConfigParams {
     logoutPath?: string;
 
     /**
-     * Relative path to the application callback to process the response from the authorization server.
+     * Either a relative path to the application or a valid URI to an external domain.
+     * This value must be registered on the authorization server.
+     * The user will be redirected to this after a logout has been performed.
      */
-    redirectUriPath?: string;
+    postLogoutRedirectUri?: string;
 
     /**
-     * Either a relative path to the application
-     * or a valid URI to an external domain.
-     * The user will be redirected to this after a logout has been performed.
+     * Relative path to the application callback to process the response from the authorization server.
      */
-    postLogoutRedirectUri?: string;
+    redirectUriPath?: string;
 
     /**
      * Require authentication for all routes.

diff --git a/lib/config.js b/lib/config.js
@@ -4,7 +4,7 @@ const loadEnvs = require('./loadEnvs');
 const getUser = require('./hooks/getUser');
 const handleCallback = require('./hooks/handleCallback');
 
-const paramsSchema = Joi.object().keys({
+const paramsSchema = Joi.object({
   appSessionCookie: Joi.object({
     domain: Joi.string().optional(),
     ephemeral: Joi.boolean().optional().default(false),
@@ -16,11 +16,8 @@ const paramsSchema = Joi.object().keys({
   appSessionDuration: Joi.number().integer().optional().default(7 * 24 * 60 * 60),
   appSessionName: Joi.string().token().optional().default('identity'),
   appSessionSecret: Joi.alternatives([
-    // Single string key.
     Joi.string(),
-    // Array of keys to allow for rotation.
     Joi.array().items(Joi.string()),
-    // False to stop client session from being created.
     Joi.boolean().valid(false)
   ]).required(),
   auth0Logout: Joi.boolean().optional().default(false),
@@ -32,7 +29,8 @@ const paramsSchema = Joi.object().keys({
       Joi.allow(null).optional()
     ]).default(function(parent) {
       const responseType = parent.response_type.split(' ');
-      return responseType.includes('id_token') || responseType.includes('token') ? 'form_post' : undefined;
+      const responseIncludesTokens = responseType.includes('id_token') || responseType.includes('token');
+      return responseIncludesTokens ? 'form_post' : undefined;
     }),
   }).optional().unknown(true).default(),
   baseURL: Joi.string().uri().required(),
@@ -52,10 +50,10 @@ const paramsSchema = Joi.object().keys({
   legacySameSiteCookie: Joi.boolean().optional().default(true),
   loginPath: Joi.string().uri({relativeOnly: true}).optional().default('/login'),
   logoutPath: Joi.string().uri({relativeOnly: true}).optional().default('/logout'),
+  postLogoutRedirectUri: Joi.string().uri({allowRelative: true}).optional().default(''),
   redirectUriPath: Joi.string().uri({relativeOnly: true}).optional().default('/callback'),
   required: Joi.alternatives([ Joi.function(), Joi.boolean()]).optional().default(true),
   routes: Joi.boolean().optional().default(true),
-  postLogoutRedirectUri: Joi.string().uri({allowRelative: true}).optional().default('/')
 });
 
 module.exports.get = function(params) {

diff --git a/test/logout.tests.js b/test/logout.tests.js
@@ -1,5 +1,4 @@
 const { assert } = require('chai');
-const url = require('url');
 const server = require('./fixture/server');
 const { auth } = require('./..');
 
@@ -44,7 +43,7 @@ describe('logout route', function() {
 
     it('should redirect to the base url', function() {
       assert.equal(logoutResponse.statusCode, 302);
-      assert.equal(logoutResponse.headers.location, 'https://example.org/');
+      assert.equal(logoutResponse.headers.location, 'https://example.org');
     });
   });
 
@@ -83,7 +82,7 @@ describe('logout route', function() {
 
     it('should redirect to the base url', function() {
       assert.equal(logoutResponse.statusCode, 302);
-      assert.equal(logoutResponse.headers.location, 'https://example.org/');
+      assert.equal(logoutResponse.headers.location, 'https://example.org');
     });
   });
 
@@ -92,7 +91,7 @@ describe('logout route', function() {
     describe('should allow relative paths, and prepend with baseURL', () => {
       let baseUrl;
       const jar = request.jar();
-  
+
       before(async function() {
         const middleware = auth({
           idpLogout: false,
@@ -114,12 +113,12 @@ describe('logout route', function() {
           baseUrl, jar
         });
       });
-  
+
       it('should redirect to postLogoutRedirectUri in auth() config', async function() {
         const logoutResponse = await request.get({uri: '/logout', baseUrl, jar, followRedirect: false});
         assert.equal(logoutResponse.headers.location, 'https://example.org/after-logout-in-auth-config');
       });
-  
+
       it('should redirect to returnTo in logout query', async function() {
         const logoutResponse = await request.get({uri: '/logout', qs: {returnTo: '/after-logout-in-logout-query'}, baseUrl, jar, followRedirect: false});
         assert.equal(logoutResponse.headers.location, 'https://example.org/after-logout-in-logout-query');
@@ -129,7 +128,7 @@ describe('logout route', function() {
     describe('should allow absolute paths', () => {
       let baseUrl;
       const jar = request.jar();
-  
+
       before(async function() {
         const middleware = auth({
           idpLogout: false,
@@ -151,12 +150,12 @@ describe('logout route', function() {
           baseUrl, jar
         });
       });
-  
+
       it('should redirect to postLogoutRedirectUri in auth() config', async function() {
         const logoutResponse = await request.get({uri: '/logout', baseUrl, jar, followRedirect: false});
         assert.equal(logoutResponse.headers.location, 'https://external-domain.com/after-logout-in-auth-config');
       });
-  
+
       it('should redirect to returnTo in logout query', async function() {
         const logoutResponse = await request.get({uri: '/logout', qs: {returnTo: 'https://external-domain.com/after-logout-in-logout-query'}, baseUrl, jar, followRedirect: false});
         assert.equal(logoutResponse.headers.location, 'https://external-domain.com/after-logout-in-logout-query');