From 7e82270b9445cd8ba59aaa60bebb21223f818eca Mon Sep 17 00:00:00 2001 From: Sattvik Chakravarthy Date: Thu, 26 Sep 2024 14:56:48 +0530 Subject: [PATCH] fix: session revoke in logout --- .../java/io/supertokens/inmemorydb/Start.java | 4 ++-- .../inmemorydb/queries/OAuthQueries.java | 15 ++++++++------- src/main/java/io/supertokens/oauth/OAuth.java | 7 ++++--- .../webserver/api/oauth/OAuthLogoutAPI.java | 6 +++++- 4 files changed, 19 insertions(+), 13 deletions(-) diff --git a/src/main/java/io/supertokens/inmemorydb/Start.java b/src/main/java/io/supertokens/inmemorydb/Start.java index 4a27e3b84..93715c091 100644 --- a/src/main/java/io/supertokens/inmemorydb/Start.java +++ b/src/main/java/io/supertokens/inmemorydb/Start.java @@ -3080,9 +3080,9 @@ public void addM2MToken(AppIdentifier appIdentifier, String clientId, long iat, @Override public void addLogoutChallenge(AppIdentifier appIdentifier, String challenge, String clientId, - String postLogoutRedirectionUri, String state, long timeCreated) throws StorageQueryException { + String postLogoutRedirectionUri, String sessionHandle, String state, long timeCreated) throws StorageQueryException { try { - OAuthQueries.addLogoutChallenge(this, appIdentifier, challenge, clientId, postLogoutRedirectionUri, state, timeCreated); + OAuthQueries.addLogoutChallenge(this, appIdentifier, challenge, clientId, postLogoutRedirectionUri, sessionHandle, state, timeCreated); } catch (SQLException e) { throw new StorageQueryException(e); } diff --git a/src/main/java/io/supertokens/inmemorydb/queries/OAuthQueries.java b/src/main/java/io/supertokens/inmemorydb/queries/OAuthQueries.java index fdac29760..ea423ece3 100644 --- a/src/main/java/io/supertokens/inmemorydb/queries/OAuthQueries.java +++ b/src/main/java/io/supertokens/inmemorydb/queries/OAuthQueries.java @@ -101,7 +101,7 @@ public static String getQueryToCreateOAuthLogoutChallengesTable(Start start) { + "challenge VARCHAR(128) NOT NULL," + "client_id VARCHAR(128) NOT NULL," + "post_logout_redirect_uri VARCHAR(1024)," - + "gid VARCHAR(128)," + + "session_handle VARCHAR(128)," + "state VARCHAR(128)," + "time_created BIGINT NOT NULL," + "PRIMARY KEY (app_id, challenge)," @@ -314,21 +314,22 @@ public static void cleanUpExpiredAndRevokedTokens(Start start, AppIdentifier app } public static void addLogoutChallenge(Start start, AppIdentifier appIdentifier, String challenge, String clientId, - String postLogoutRedirectionUri, String state, long timeCreated) throws SQLException, StorageQueryException { + String postLogoutRedirectionUri, String sessionHandle, String state, long timeCreated) throws SQLException, StorageQueryException { String QUERY = "INSERT INTO " + Config.getConfig(start).getOAuthLogoutChallengesTable() + - " (app_id, challenge, client_id, post_logout_redirect_uri, state, time_created) VALUES (?, ?, ?, ?, ?, ?)"; + " (app_id, challenge, client_id, post_logout_redirect_uri, session_handle, state, time_created) VALUES (?, ?, ?, ?, ?, ?, ?)"; update(start, QUERY, pst -> { pst.setString(1, appIdentifier.getAppId()); pst.setString(2, challenge); pst.setString(3, clientId); pst.setString(4, postLogoutRedirectionUri); - pst.setString(5, state); - pst.setLong(6, timeCreated); + pst.setString(5, sessionHandle); + pst.setString(6, state); + pst.setLong(7, timeCreated); }); } public static OAuthLogoutChallenge getLogoutChallenge(Start start, AppIdentifier appIdentifier, String challenge) throws SQLException, StorageQueryException { - String QUERY = "SELECT challenge, client_id, post_logout_redirect_uri, gid, state, time_created FROM " + + String QUERY = "SELECT challenge, client_id, post_logout_redirect_uri, session_handle, state, time_created FROM " + Config.getConfig(start).getOAuthLogoutChallengesTable() + " WHERE app_id = ? AND challenge = ?"; @@ -341,7 +342,7 @@ public static OAuthLogoutChallenge getLogoutChallenge(Start start, AppIdentifier result.getString("challenge"), result.getString("client_id"), result.getString("post_logout_redirect_uri"), - result.getString("gid"), + result.getString("session_handle"), result.getString("state"), result.getLong("time_created") ); diff --git a/src/main/java/io/supertokens/oauth/OAuth.java b/src/main/java/io/supertokens/oauth/OAuth.java index 96e6a8484..35dce6083 100644 --- a/src/main/java/io/supertokens/oauth/OAuth.java +++ b/src/main/java/io/supertokens/oauth/OAuth.java @@ -571,12 +571,13 @@ public static void addM2MToken(Main main, AppIdentifier appIdentifier, Storage s } public static String createLogoutRequestAndReturnRedirectUri(Main main, AppIdentifier appIdentifier, Storage storage, String clientId, - String postLogoutRedirectionUri, String state, String idTokenHint) throws StorageQueryException { + String postLogoutRedirectionUri, String sessionHandle, String state) throws StorageQueryException { OAuthStorage oauthStorage = StorageUtils.getOAuthStorage(storage); String logoutChallenge = UUID.randomUUID().toString(); - oauthStorage.addLogoutChallenge(appIdentifier, logoutChallenge, clientId, postLogoutRedirectionUri, state, System.currentTimeMillis()); + oauthStorage.addLogoutChallenge(appIdentifier, logoutChallenge, clientId, postLogoutRedirectionUri, sessionHandle, state, System.currentTimeMillis()); + return "{apiDomain}/oauth/logout?logout_challenge=" + logoutChallenge; } @@ -588,7 +589,7 @@ public static String consumeLogoutChallengeAndGetRedirectUri(Main main, AppIdent throw new OAuthAPIException("invalid_request", "Logout request not found", 400); } - oauthStorage.revoke(appIdentifier, "gid", logoutChallenge.gid, 3600 * 24 * (183 + 31)); + revokeSessionHandle(main, appIdentifier, oauthStorage, logoutChallenge.sessionHandle); String url = null; if (logoutChallenge.postLogoutRedirectionUri != null) { diff --git a/src/main/java/io/supertokens/webserver/api/oauth/OAuthLogoutAPI.java b/src/main/java/io/supertokens/webserver/api/oauth/OAuthLogoutAPI.java index 2fd26071e..b2ccd93fd 100644 --- a/src/main/java/io/supertokens/webserver/api/oauth/OAuthLogoutAPI.java +++ b/src/main/java/io/supertokens/webserver/api/oauth/OAuthLogoutAPI.java @@ -58,8 +58,12 @@ protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IO } // Verify id token and client id associations JsonObject idTokenPayload = null; + String sessionHandle = null; if (idTokenHint != null) { idTokenPayload = OAuth.verifyIdTokenAndGetPayload(main, appIdentifier, storage, idTokenHint); + if (idTokenPayload.has("sid")) { + sessionHandle = idTokenPayload.get("sid").getAsString(); + } if (clientId != null) { String clientIdInIdTokenPayload = idTokenPayload.get("aud").getAsString(); @@ -125,7 +129,7 @@ protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IO return; } - String redirectTo = OAuth.createLogoutRequestAndReturnRedirectUri(main, appIdentifier, storage, clientId, postLogoutRedirectionUri, state, idTokenHint); + String redirectTo = OAuth.createLogoutRequestAndReturnRedirectUri(main, appIdentifier, storage, clientId, postLogoutRedirectionUri, sessionHandle, state); JsonObject response = new JsonObject(); response.addProperty("status", "OK");