fix: session revoke in logout

supertokens · Sep 26, 2024 · 7e82270 · 7e82270
1 parent ef2e7fb
commit 7e82270
Show file tree

Hide file tree

Showing 4 changed files with 19 additions and 13 deletions.
diff --git a/src/main/java/io/supertokens/inmemorydb/Start.java b/src/main/java/io/supertokens/inmemorydb/Start.java
@@ -3080,9 +3080,9 @@ public void addM2MToken(AppIdentifier appIdentifier, String clientId, long iat,
 
     @Override
     public void addLogoutChallenge(AppIdentifier appIdentifier, String challenge, String clientId,
-            String postLogoutRedirectionUri, String state, long timeCreated) throws StorageQueryException {
+            String postLogoutRedirectionUri, String sessionHandle, String state, long timeCreated) throws StorageQueryException {
         try {
-            OAuthQueries.addLogoutChallenge(this, appIdentifier, challenge, clientId, postLogoutRedirectionUri, state, timeCreated);
+            OAuthQueries.addLogoutChallenge(this, appIdentifier, challenge, clientId, postLogoutRedirectionUri, sessionHandle, state, timeCreated);
         } catch (SQLException e) {
             throw new StorageQueryException(e);
         }

diff --git a/src/main/java/io/supertokens/inmemorydb/queries/OAuthQueries.java b/src/main/java/io/supertokens/inmemorydb/queries/OAuthQueries.java
@@ -101,7 +101,7 @@ public static String getQueryToCreateOAuthLogoutChallengesTable(Start start) {
                 + "challenge VARCHAR(128) NOT NULL,"
                 + "client_id VARCHAR(128) NOT NULL,"
                 + "post_logout_redirect_uri VARCHAR(1024),"
-                + "gid VARCHAR(128),"
+                + "session_handle VARCHAR(128),"
                 + "state VARCHAR(128),"
                 + "time_created BIGINT NOT NULL,"
                 + "PRIMARY KEY (app_id, challenge),"
@@ -314,21 +314,22 @@ public static void cleanUpExpiredAndRevokedTokens(Start start, AppIdentifier app
     }
 
     public static void addLogoutChallenge(Start start, AppIdentifier appIdentifier, String challenge, String clientId,
-            String postLogoutRedirectionUri, String state, long timeCreated) throws SQLException, StorageQueryException {
+            String postLogoutRedirectionUri, String sessionHandle, String state, long timeCreated) throws SQLException, StorageQueryException {
         String QUERY = "INSERT INTO " + Config.getConfig(start).getOAuthLogoutChallengesTable() +
-                " (app_id, challenge, client_id, post_logout_redirect_uri, state, time_created) VALUES (?, ?, ?, ?, ?, ?)";
+                " (app_id, challenge, client_id, post_logout_redirect_uri, session_handle, state, time_created) VALUES (?, ?, ?, ?, ?, ?, ?)";
         update(start, QUERY, pst -> {
             pst.setString(1, appIdentifier.getAppId());
             pst.setString(2, challenge);
             pst.setString(3, clientId);
             pst.setString(4, postLogoutRedirectionUri);
-            pst.setString(5, state);
-            pst.setLong(6, timeCreated);
+            pst.setString(5, sessionHandle);
+            pst.setString(6, state);
+            pst.setLong(7, timeCreated);
         });
     }
 
     public static OAuthLogoutChallenge getLogoutChallenge(Start start, AppIdentifier appIdentifier, String challenge) throws SQLException, StorageQueryException {
-        String QUERY = "SELECT challenge, client_id, post_logout_redirect_uri, gid, state, time_created FROM " +
+        String QUERY = "SELECT challenge, client_id, post_logout_redirect_uri, session_handle, state, time_created FROM " +
                 Config.getConfig(start).getOAuthLogoutChallengesTable() +
                 " WHERE app_id = ? AND challenge = ?";
 
@@ -341,7 +342,7 @@ public static OAuthLogoutChallenge getLogoutChallenge(Start start, AppIdentifier
                     result.getString("challenge"),
                     result.getString("client_id"),
                     result.getString("post_logout_redirect_uri"),
-                    result.getString("gid"),
+                    result.getString("session_handle"),
                     result.getString("state"),
                     result.getLong("time_created")
                 );

diff --git a/src/main/java/io/supertokens/oauth/OAuth.java b/src/main/java/io/supertokens/oauth/OAuth.java
@@ -571,12 +571,13 @@ public static void addM2MToken(Main main, AppIdentifier appIdentifier, Storage s
     }
 
     public static String createLogoutRequestAndReturnRedirectUri(Main main, AppIdentifier appIdentifier, Storage storage, String clientId,
-            String postLogoutRedirectionUri, String state, String idTokenHint) throws StorageQueryException {
+            String postLogoutRedirectionUri, String sessionHandle, String state) throws StorageQueryException {
 
         OAuthStorage oauthStorage = StorageUtils.getOAuthStorage(storage);
 
         String logoutChallenge = UUID.randomUUID().toString();
-        oauthStorage.addLogoutChallenge(appIdentifier, logoutChallenge, clientId, postLogoutRedirectionUri, state, System.currentTimeMillis());
+        oauthStorage.addLogoutChallenge(appIdentifier, logoutChallenge, clientId, postLogoutRedirectionUri, sessionHandle, state, System.currentTimeMillis());
+
         return "{apiDomain}/oauth/logout?logout_challenge=" + logoutChallenge;
     }
 
@@ -588,7 +589,7 @@ public static String consumeLogoutChallengeAndGetRedirectUri(Main main, AppIdent
             throw new OAuthAPIException("invalid_request", "Logout request not found", 400);
         }
 
-        oauthStorage.revoke(appIdentifier, "gid", logoutChallenge.gid, 3600 * 24 * (183 + 31));
+        revokeSessionHandle(main, appIdentifier, oauthStorage, logoutChallenge.sessionHandle);
 
         String url = null;
         if (logoutChallenge.postLogoutRedirectionUri != null) {

diff --git a/src/main/java/io/supertokens/webserver/api/oauth/OAuthLogoutAPI.java b/src/main/java/io/supertokens/webserver/api/oauth/OAuthLogoutAPI.java
@@ -58,8 +58,12 @@ protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IO
             }
             // Verify id token and client id associations
             JsonObject idTokenPayload = null;
+            String sessionHandle = null;
             if (idTokenHint != null) {
                 idTokenPayload = OAuth.verifyIdTokenAndGetPayload(main, appIdentifier, storage, idTokenHint);
+                if (idTokenPayload.has("sid")) {
+                    sessionHandle = idTokenPayload.get("sid").getAsString();
+                }
 
                 if (clientId != null) {
                     String clientIdInIdTokenPayload = idTokenPayload.get("aud").getAsString();
@@ -125,7 +129,7 @@ protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IO
                 return;
             }
 
-            String redirectTo = OAuth.createLogoutRequestAndReturnRedirectUri(main, appIdentifier, storage, clientId, postLogoutRedirectionUri, state, idTokenHint);
+            String redirectTo = OAuth.createLogoutRequestAndReturnRedirectUri(main, appIdentifier, storage, clientId, postLogoutRedirectionUri, sessionHandle, state);
 
             JsonObject response = new JsonObject();
             response.addProperty("status", "OK");