From 19dc4c195b28df638e202bc35fe3cb3c26ed1089 Mon Sep 17 00:00:00 2001
From: Benedikt Kulmann <benedikt@kulmann.biz>
Date: Tue, 28 May 2024 14:30:37 +0200
Subject: [PATCH 1/3] fix: remove user locally if no logout url in IdP

---
 changelog/unreleased/bugfix-local-logout         |  8 ++++++++
 .../composables/authContext/useAuthService.ts    |  1 +
 .../src/components/Topbar/UserMenu.vue           | 16 ++++++++--------
 .../web-runtime/src/services/auth/authService.ts | 14 ++++++++++----
 4 files changed, 27 insertions(+), 12 deletions(-)
 create mode 100644 changelog/unreleased/bugfix-local-logout

diff --git a/changelog/unreleased/bugfix-local-logout b/changelog/unreleased/bugfix-local-logout
new file mode 100644
index 00000000000..a0df6ac85d6
--- /dev/null
+++ b/changelog/unreleased/bugfix-local-logout
@@ -0,0 +1,8 @@
+Bugfix: Local logout if IdP has no logout support
+
+Some IdPs don't support a logout endpoint. In those cases the web UI ran into a fatal error an showed an empty screen without
+further redirects. Fixed by forgetting the currently authenticated user when the OpenID Connect configuration doesn't contain
+an `endSessionEndpoint` url.
+
+https://github.com/owncloud/web/pull/10974
+https://github.com/owncloud/enterprise/issues/6631
diff --git a/packages/web-pkg/src/composables/authContext/useAuthService.ts b/packages/web-pkg/src/composables/authContext/useAuthService.ts
index 1f8e11a559b..bdfb1d6dba7 100644
--- a/packages/web-pkg/src/composables/authContext/useAuthService.ts
+++ b/packages/web-pkg/src/composables/authContext/useAuthService.ts
@@ -3,6 +3,7 @@ import { useService } from '../service'
 export interface AuthServiceInterface {
   handleAuthError(route: any): any
   signinSilent(): Promise<unknown>
+  logoutUser(): Promise<void>
 }
 
 export const useAuthService = (): AuthServiceInterface => {
diff --git a/packages/web-runtime/src/components/Topbar/UserMenu.vue b/packages/web-runtime/src/components/Topbar/UserMenu.vue
index a8f08a23058..d9a67cc4920 100644
--- a/packages/web-runtime/src/components/Topbar/UserMenu.vue
+++ b/packages/web-runtime/src/components/Topbar/UserMenu.vue
@@ -143,13 +143,13 @@
 import { storeToRefs } from 'pinia'
 import { defineComponent, PropType, ComponentPublicInstance, computed, unref } from 'vue'
 import { filesize } from 'filesize'
-import { authService } from '../../services/auth'
 import {
   useRoute,
   useSpacesStore,
   useThemeStore,
   useUserStore,
-  routeToContextQuery
+  routeToContextQuery,
+  useAuthService
 } from '@ownclouders/web-pkg'
 import { OcDrop } from 'design-system/src/components'
 import { MenuItem } from '../../helpers/menuItems'
@@ -167,6 +167,7 @@ export default defineComponent({
     const userStore = useUserStore()
     const themeStore = useThemeStore()
     const spacesStore = useSpacesStore()
+    const authService = useAuthService()
 
     const { user } = storeToRefs(userStore)
 
@@ -181,6 +182,9 @@ export default defineComponent({
         query: { redirectUrl: unref(route).fullPath }
       }
     })
+    const logout = () => {
+      authService.logoutUser()
+    }
 
     const imprintUrl = computed(() => themeStore.currentTheme.common.urls.imprint)
     const privacyUrl = computed(() => themeStore.currentTheme.common.urls.privacy)
@@ -195,7 +199,8 @@ export default defineComponent({
       loginLink,
       imprintUrl,
       privacyUrl,
-      quota
+      quota,
+      logout
     }
   },
   computed: {
@@ -249,11 +254,6 @@ export default defineComponent({
       onShown: () =>
         (this.$refs.menu as ComponentPublicInstance).$el.querySelector('a:first-of-type').focus()
     })
-  },
-  methods: {
-    logout() {
-      authService.logoutUser()
-    }
   }
 })
 </script>
diff --git a/packages/web-runtime/src/services/auth/authService.ts b/packages/web-runtime/src/services/auth/authService.ts
index b23456a9982..a3906135d5e 100644
--- a/packages/web-runtime/src/services/auth/authService.ts
+++ b/packages/web-runtime/src/services/auth/authService.ts
@@ -6,7 +6,8 @@ import {
   UserStore,
   CapabilityStore,
   ConfigStore,
-  useTokenTimerWorker
+  useTokenTimerWorker,
+  AuthServiceInterface
 } from '@ownclouders/web-pkg'
 import { RouteLocation, Router } from 'vue-router'
 import {
@@ -22,7 +23,7 @@ import { Language } from 'vue3-gettext'
 import { PublicLinkType } from '@ownclouders/web-client'
 import { WebWorkersStore } from '@ownclouders/web-pkg'
 
-export class AuthService {
+export class AuthService implements AuthServiceInterface {
   private clientService: ClientService
   private configStore: ConfigStore
   private router: Router
@@ -314,12 +315,17 @@ export class AuthService {
   }
 
   public async logoutUser() {
+    const endSessionEndpoint = await this.userManager.metadataService?.getEndSessionEndpoint()
+    if (!endSessionEndpoint) {
+      return await this.userManager.removeUser()
+    }
+
     const u = await this.userManager.getUser()
     if (u && u.id_token) {
       return this.userManager.signoutRedirect({ id_token_hint: u.id_token })
-    } else {
-      await this.userManager.removeUser()
     }
+
+    return await this.userManager.removeUser()
   }
 
   private resetStateAfterUserLogout() {

From d24200dd30880ff896c06c4598654024956ecdaa Mon Sep 17 00:00:00 2001
From: Benedikt Kulmann <benedikt@kulmann.biz>
Date: Fri, 31 May 2024 14:00:37 +0200
Subject: [PATCH 2/3] fix: navigate to logged out page when no
 endSessionEndpoint

---
 .../composables/authContext/useAuthService.ts |  3 +-
 .../web-runtime/src/pages/accessDenied.vue    |  1 -
 packages/web-runtime/src/pages/logout.vue     | 68 +++++++++++++------
 .../src/services/auth/authService.ts          | 10 +--
 .../src/services/auth/userManager.ts          |  2 -
 .../__snapshots__/accessDenied.spec.ts.snap   |  2 +-
 6 files changed, 55 insertions(+), 31 deletions(-)

diff --git a/packages/web-pkg/src/composables/authContext/useAuthService.ts b/packages/web-pkg/src/composables/authContext/useAuthService.ts
index bdfb1d6dba7..af6e7a4d52e 100644
--- a/packages/web-pkg/src/composables/authContext/useAuthService.ts
+++ b/packages/web-pkg/src/composables/authContext/useAuthService.ts
@@ -1,9 +1,10 @@
 import { useService } from '../service'
+import { NavigationFailure } from 'vue-router'
 
 export interface AuthServiceInterface {
   handleAuthError(route: any): any
   signinSilent(): Promise<unknown>
-  logoutUser(): Promise<void>
+  logoutUser(): Promise<void | NavigationFailure>
 }
 
 export const useAuthService = (): AuthServiceInterface => {
diff --git a/packages/web-runtime/src/pages/accessDenied.vue b/packages/web-runtime/src/pages/accessDenied.vue
index 955206696cb..e70dea8de72 100644
--- a/packages/web-runtime/src/pages/accessDenied.vue
+++ b/packages/web-runtime/src/pages/accessDenied.vue
@@ -82,7 +82,6 @@ export default defineComponent({
         }
       }
       return {
-        name: 'login',
         type: 'router-link',
         to: {
           name: 'login',
diff --git a/packages/web-runtime/src/pages/logout.vue b/packages/web-runtime/src/pages/logout.vue
index 2ed8ec877bf..7a1683d2026 100644
--- a/packages/web-runtime/src/pages/logout.vue
+++ b/packages/web-runtime/src/pages/logout.vue
@@ -1,42 +1,66 @@
 <template>
-  <div class="oc-login-card oc-position-center">
-    <img class="oc-login-logo" :src="logoImg" alt="" :aria-hidden="true" />
-    <div class="oc-login-card-body oc-width-medium">
-      <h2 class="oc-login-card-title" v-text="cardTitle" />
-      <p v-text="cardHint" />
-    </div>
-    <div class="oc-login-card-footer oc-pt-rm">
-      <p>
-        {{ footerSlogan }}
-      </p>
+  <div class="oc-height-viewport oc-flex oc-flex-column oc-flex-center oc-flex-middle">
+    <div class="oc-login-card">
+      <img class="oc-login-logo" :src="logoImg" alt="" :aria-hidden="true" />
+      <div class="oc-login-card-body oc-width-medium">
+        <h2 class="oc-login-card-title" v-text="cardTitle" />
+        <p v-text="cardHint" />
+      </div>
+      <div class="oc-login-card-footer oc-pt-rm">
+        <p>
+          {{ footerSlogan }}
+        </p>
+      </div>
     </div>
+    <oc-button
+      id="exitAnchor"
+      class="oc-mt-m oc-width-medium"
+      size="large"
+      appearance="filled"
+      variation="primary"
+      v-bind="loginButtonAttrs"
+    >
+      {{ loginButtonText }}
+    </oc-button>
   </div>
 </template>
 <script lang="ts">
 import { computed, defineComponent } from 'vue'
-import { useRouter, useThemeStore } from '@ownclouders/web-pkg'
-import { authService } from 'web-runtime/src/services/auth'
+import { useConfigStore, useThemeStore } from '@ownclouders/web-pkg'
 import { useGettext } from 'vue3-gettext'
 import { storeToRefs } from 'pinia'
 
 export default defineComponent({
   name: 'LogoutPage',
   setup() {
-    const router = useRouter()
     const { $gettext } = useGettext()
     const themeStore = useThemeStore()
-
     const { currentTheme } = storeToRefs(themeStore)
-
-    authService.logoutUser().then(() => {
-      router.push({ name: 'login' })
-    })
+    const configStore = useConfigStore()
 
     const cardTitle = computed(() => {
-      return $gettext('Logout in progress')
+      return $gettext('Logged out')
     })
     const cardHint = computed(() => {
-      return $gettext("Please wait while you're being logged out.")
+      return $gettext('You have been logged out successfully.')
+    })
+    const loginButtonText = computed(() => {
+      return $gettext('Log in again')
+    })
+    const loginButtonAttrs = computed(() => {
+      if (configStore.options.loginUrl) {
+        const configLoginURL = new URL(encodeURI(configStore.options.loginUrl))
+        return {
+          type: 'a',
+          href: configLoginURL.toString()
+        }
+      }
+      return {
+        type: 'router-link',
+        to: {
+          name: 'login'
+        }
+      }
     })
 
     const footerSlogan = computed(() => currentTheme.value.common.slogan)
@@ -46,7 +70,9 @@ export default defineComponent({
       logoImg,
       cardTitle,
       cardHint,
-      footerSlogan
+      footerSlogan,
+      loginButtonText,
+      loginButtonAttrs
     }
   }
 })
diff --git a/packages/web-runtime/src/services/auth/authService.ts b/packages/web-runtime/src/services/auth/authService.ts
index a3906135d5e..baaa0d8ae97 100644
--- a/packages/web-runtime/src/services/auth/authService.ts
+++ b/packages/web-runtime/src/services/auth/authService.ts
@@ -152,7 +152,7 @@ export class AuthService implements AuthServiceInterface {
         this.userManager.events.addUserUnloaded(async () => {
           console.log('user unloaded…')
           this.tokenTimerWorker?.resetTokenTimer()
-          await this.resetStateAfterUserLogout()
+          this.resetStateAfterUserLogout()
 
           if (this.userManager.unloadReason === 'authError') {
             this.hasAuthErrorOccurred = true
@@ -168,7 +168,6 @@ export class AuthService implements AuthServiceInterface {
             if (oAuth2.logoutUrl) {
               return (window.location = oAuth2.logoutUrl as any)
             }
-            return (window.location = `${this.configStore.serverUrl}/index.php/logout` as any)
           }
         })
         this.userManager.events.addSilentRenewError(async (error) => {
@@ -317,7 +316,8 @@ export class AuthService implements AuthServiceInterface {
   public async logoutUser() {
     const endSessionEndpoint = await this.userManager.metadataService?.getEndSessionEndpoint()
     if (!endSessionEndpoint) {
-      return await this.userManager.removeUser()
+      await this.userManager.removeUser()
+      return this.router.push({ name: 'logout' })
     }
 
     const u = await this.userManager.getUser()
@@ -334,7 +334,7 @@ export class AuthService implements AuthServiceInterface {
     this.authStore.clearUserContext()
   }
 
-  private handleDelegatedTokenUpdate(event: MessageEvent): void {
+  private handleDelegatedTokenUpdate(event: MessageEvent) {
     if (
       this.configStore.options.embed?.delegateAuthenticationOrigin &&
       event.origin !== this.configStore.options.embed.delegateAuthenticationOrigin
@@ -347,7 +347,7 @@ export class AuthService implements AuthServiceInterface {
     }
 
     console.debug('[authService:handleDelegatedTokenUpdate] - going to update the access_token')
-    this.userManager.updateContext(event.data, false)
+    return this.userManager.updateContext(event.data, false)
   }
 }
 
diff --git a/packages/web-runtime/src/services/auth/userManager.ts b/packages/web-runtime/src/services/auth/userManager.ts
index 509e9af1ee1..b9d9acdf57c 100644
--- a/packages/web-runtime/src/services/auth/userManager.ts
+++ b/packages/web-runtime/src/services/auth/userManager.ts
@@ -37,7 +37,6 @@ export interface UserManagerOptions {
 }
 
 export class UserManager extends OidcUserManager {
-  private readonly storePrefix
   private clientService: ClientService
   private configStore: ConfigStore
   private userStore: UserStore
@@ -111,7 +110,6 @@ export class UserManager extends OidcUserManager {
     Log.setLevel(Log.WARN)
 
     super(openIdConfig)
-    this.storePrefix = storePrefix
     this.browserStorage = browserStorage
     this.clientService = options.clientService
     this.configStore = options.configStore
diff --git a/packages/web-runtime/tests/unit/pages/__snapshots__/accessDenied.spec.ts.snap b/packages/web-runtime/tests/unit/pages/__snapshots__/accessDenied.spec.ts.snap
index dc9aabb37eb..4d87317522e 100644
--- a/packages/web-runtime/tests/unit/pages/__snapshots__/accessDenied.spec.ts.snap
+++ b/packages/web-runtime/tests/unit/pages/__snapshots__/accessDenied.spec.ts.snap
@@ -11,6 +11,6 @@ exports[`access denied page > renders component 1`] = `
     <div class="oc-login-card-footer oc-pt-rm">
       <p>ownCloud – A safe home for all your data</p>
     </div>
-  </div> <a attrs="[object Object]" class="oc-button oc-rounded oc-button-l oc-button-justify-content-center oc-button-gap-m oc-button-primary oc-button-primary-filled oc-mt-m oc-width-medium" id="exitAnchor" name="login"></a>
+  </div> <a attrs="[object Object]" class="oc-button oc-rounded oc-button-l oc-button-justify-content-center oc-button-gap-m oc-button-primary oc-button-primary-filled oc-mt-m oc-width-medium" id="exitAnchor"></a>
 </div>"
 `;

From 177c65f81787dc8087de84aabaebf1b31c6a7db6 Mon Sep 17 00:00:00 2001
From: Benedikt Kulmann <benedikt@kulmann.biz>
Date: Fri, 31 May 2024 14:12:40 +0200
Subject: [PATCH 3/3] Update changelog/unreleased/bugfix-local-logout

Co-authored-by: Jannik Stehle <50302941+JammingBen@users.noreply.github.com>
---
 changelog/unreleased/bugfix-local-logout | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/changelog/unreleased/bugfix-local-logout b/changelog/unreleased/bugfix-local-logout
index a0df6ac85d6..1ade68849b7 100644
--- a/changelog/unreleased/bugfix-local-logout
+++ b/changelog/unreleased/bugfix-local-logout
@@ -1,6 +1,6 @@
 Bugfix: Local logout if IdP has no logout support
 
-Some IdPs don't support a logout endpoint. In those cases the web UI ran into a fatal error an showed an empty screen without
+Some IdPs don't support a logout endpoint. In those cases the web UI ran into a fatal error and showed an empty screen without
 further redirects. Fixed by forgetting the currently authenticated user when the OpenID Connect configuration doesn't contain
 an `endSessionEndpoint` url.