fix: remove session from store on logout

This patch resolves an issue where the session would not be purged from the store when performing an RP-initiated logout request from a client, if said client does not purge the authentication session properly because the client does not have access to it or because the client misbehaves.
ory · Dec 8, 2020 · 4495f56 · 4495f56
1 parent ef12c06
commit 4495f56
Showing 1 changed file with 11 additions and 1 deletion.
diff --git a/consent/strategy_default.go b/consent/strategy_default.go
@@ -964,6 +964,8 @@ func (s *DefaultStrategy) completeLogout(w http.ResponseWriter, r *http.Request)
  }
  }
 
+ _, _ = s.revokeAuthenticationCookie(w, r, s.r.CookieStore()) // Cookie removal is optional
+
  urls, err := s.generateFrontChannelLogoutURLs(r.Context(), lr.Subject, lr.SessionID)
  if err != nil {
  return nil, err
@@ -973,14 +975,22 @@ func (s *DefaultStrategy) completeLogout(w http.ResponseWriter, r *http.Request)
  return nil, err
  }
 
- if err := s.revokeAuthenticationSession(w, r); err != nil {
+ // We delete the session after back channel log out has worked as the session is otherwise removed
+ // from the store which will break the query for finding all the channels.
+ //
+ // executeBackChannelLogout only fails on system errors so not on URL errors, so this should be fine
+ // even if an upstream URL fails!
+ if err := s.r.ConsentManager().DeleteLoginSession(r.Context(), lr.SessionID); errors.Is(err, sqlcon.ErrNoRows) {
+ // This is ok (session probably already revoked), do nothing!
+ } else if err != nil {
  return nil, err
  }
 
  s.r.AuditLogger().
  WithRequest(r).
  WithField("subject", lr.Subject).
  Info("User logout completed!")
+
  return &LogoutResult{
  RedirectTo: lr.PostLogoutRedirectURI,
  FrontChannelLogoutURLs: urls,