mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-07 14:51:30 +00:00
shankar0123
cd374b243e
Phase 9 ARCH-M2 closure Sprint 11. Splits
internal/api/handler/auth_session_oidc.go (was 1577 LOC, the
fifth-largest backend hotspot from the original audit) via the
Option B sibling-file pattern — new files stay in `package handler`
so every external caller of
`handler.AuthSessionOIDCHandler.{LoginInitiate, LoginCallback,
BackChannelLogout, Logout, ListSessions, RevokeSession,
RevokeAllExceptCurrent, ListProviders, CreateProvider,
UpdateProvider, DeleteProvider, TestProvider, RefreshProvider,
ListGroupMappings, AddGroupMapping, RemoveGroupMapping}` and
`handler.{DefaultBCLVerifier, NewDefaultBCLVerifier,
DefaultBCLVerifierMaxAge}` resolves the same way. Pure mechanical
relocation; no signature, no behavior, no import-graph change.
Section-based split (Option B + audit's verb prescription)
==========================================================
The audit's Tasks-Deferred row prescribed splitting "per handler
verb (login / callback / refresh / logout / backchannel)." The
file itself documents a three-section layout in its package
doc-comment:
1. Public OIDC handshake (auth-exempt)
2. Session management (RBAC-gated)
3. OIDC provider + group-mapping CRUD (RBAC-gated)
Going strictly verb-by-verb would have:
- mis-grouped RefreshProvider (which is an ADMIN op on a
provider's signing-key cache, not a session refresh — same
auth.oidc.edit permission as Update/Delete);
- split LoginInitiate + LoginCallback into separate files
despite them sharing the state cookie + pre-login row flow;
- left the other 9 handlers (Sessions, Provider CRUD, Group
Mappings) with no obvious home.
Sprint 11 follows the file's own self-described section split
plus a fourth file for the DefaultBCLVerifier, which the original
file already kept under a separate banner.
What moved
==========
New `internal/api/handler/auth_session_oidc_handshake.go` (391 LOC)
— Section 1 / Public OIDC handshake handlers (auth-exempt):
- LoginInitiate (GET /auth/oidc/login?provider=<id>)
- LoginCallback (GET /auth/oidc/callback?code=...&state=...)
- BackChannelLogout (POST /auth/oidc/back-channel-logout)
- Logout (POST /auth/logout)
New `internal/api/handler/auth_session_oidc_sessions.go` (208 LOC)
— Section 2 / Session-management handlers (RBAC-gated):
- sessionResponse projection type + sessionToResponse mapper
- ListSessions (GET /api/v1/auth/sessions)
- RevokeSession (DELETE /api/v1/auth/sessions/{id})
- RevokeAllExceptCurrent
(DELETE /api/v1/auth/sessions/all-except-current)
New `internal/api/handler/auth_session_oidc_crud.go` (470 LOC) —
Section 3 / OIDC provider + group-mapping CRUD (RBAC-gated):
- oidcProviderResponse + oidcProviderRequest projection types,
providerToResponse mapper
- ListProviders / CreateProvider / UpdateProvider /
DeleteProvider / TestProvider / RefreshProvider
- groupMappingResponse + groupMappingRequest projection types,
mappingToResponse mapper
- ListGroupMappings / AddGroupMapping / RemoveGroupMapping
New `internal/api/handler/auth_session_oidc_bcl.go` (225 LOC) —
DefaultBCLVerifier (handler's default implementation of the
BackChannelLogoutVerifier interface declared in
auth_session_oidc.go):
- DefaultBCLVerifierMaxAge constant
- DefaultBCLVerifier struct + NewDefaultBCLVerifier
- WithMaxAge builder
- Verify (the OpenID Connect Back-Channel Logout 1.0 §2.6
verification: events claim, iat window, algorithm allowlist,
audience match, sub/sid/jti decode)
- peekIssuer unexported helper
What stays in auth_session_oidc.go (452 LOC, down from 1577)
============================================================
- Package + import block.
- Service-layer interface projections (OIDCAuthHandshaker,
SessionMinter, BackChannelLogoutVerifier) — declared once and
consumed by every section.
- SessionCookieAttrs config struct.
- AuthSessionOIDCHandler struct + permissionChecker /
BCLReplayConsumer / AuditRecorder interfaces + NewAuthSession-
OIDCHandler constructor + the WithPermissionChecker /
WithBCLReplayConsumer builder methods.
- The shared helpers consumed across multiple sections:
encryptClientSecret, recordAudit, clearPreLoginCookie,
clearSessionCookies, clientIPFromRequest, classifyOIDCFailure,
randomB64URLForHandler, defaultIfBlank, defaultIntIfZero.
Side-effect import cleanup
==========================
Four imports drop from auth_session_oidc.go as a clean side effect
of the cut:
- "encoding/json" (used only in CRUD + BCL — moved out)
- "fmt" (used only in BCL — moved out)
- gooidc "github.com/coreos/go-oidc/v3/oidc"
(used only in BCL — moved out)
- oidcdomain "github.com/certctl-io/certctl/internal/auth/oidc/domain"
(used in handshake + CRUD + BCL — moved out)
Per-import audit on every new sibling file is in the commit's diff:
each carries only the imports its extracted code actually consumes.
Net effect
==========
auth_session_oidc.go: 1577 → 452 LOC (-1,125 = -71.3%). Four new
sibling files at 1,294 LOC total (1,125 moved + ~169 of header +
Phase 9 doc-comment overhead). The original hotspot drops below
the cmd/agent/main.go target for Sprint 12 (1489 LOC).
Cumulative Phase 9 progress (top 5 hotspots)
============================================
config.go 3403 → 1342 (-60.6%, Sprints 1-7)
cmd/server/main.go 2966 → 2260 (-23.8%, Sprints 8 + 8b)
service/acme.go 1965 → 1162 (-40.9%, Sprints 9 + 9b)
mcp/tools.go 1867 → 109 (-94.2%, Sprint 10)
auth_session_oidc 1577 → 452 (-71.3%, Sprint 11)
TOTAL across 5 files: 11,778 → 5,325 LOC = -6,453 (-54.8%)
Behavior preservation contract
==============================
1. gofmt -l clean across all 5 affected files.
2. go vet ./internal/api/handler/... — no findings.
3. staticcheck ./internal/api/handler/... — no findings.
4. go test -short -count=1 ./internal/api/handler/... — green
(includes the 1,439-line auth_session_oidc_test.go suite that
pins every moved handler's behavior including BCL replay,
CSRF rotation, audit emission, and the Phase-5 RBAC path).
5. Broader-importer build green: go build ./... .
6. Broader-importer tests green: go test -short -count=1
./cmd/server/... ./internal/api/router/... .
cmd/server/main.go consumes handler.DefaultBCLVerifier +
handler.NewDefaultBCLVerifier + handler.DefaultBCLVerifierMaxAge
across three call sites; all three resolve unchanged through Go's
same-package public-export mechanism (the type + constructor
moved to a sibling file in the same `handler` package). The
mcp/tools_auth_bundle2.go comment string referencing
"oidcProviderRequest" is descriptive prose, not an import.
What remains for Phase 9
========================
One sibling-file split queued:
- Sprint 12: cmd/agent/main.go (1489 LOC) → main + poll +
deploy + register sibling files in same cmd/agent package
(mirrors the cmd/server pattern from Sprints 8 + 8b).
Refs: ARCH-M2 (god-files), Phase 9 audit. Sprint 11 closes the
auth-session-OIDC handler hotspot from the audit's top-5 list.
391 lines
17 KiB
Go
391 lines
17 KiB
Go
// Copyright 2026 certctl LLC. All rights reserved.
|
|
// SPDX-License-Identifier: BUSL-1.1
|
|
|
|
package handler
|
|
|
|
import (
|
|
"errors"
|
|
"net/http"
|
|
"strings"
|
|
"time"
|
|
|
|
oidcdomain "github.com/certctl-io/certctl/internal/auth/oidc/domain"
|
|
sessionsvc "github.com/certctl-io/certctl/internal/auth/session"
|
|
sessiondomain "github.com/certctl-io/certctl/internal/auth/session/domain"
|
|
"github.com/certctl-io/certctl/internal/domain"
|
|
"github.com/certctl-io/certctl/internal/repository"
|
|
)
|
|
|
|
// Phase 9 ARCH-M2 closure Sprint 11 (2026-05-14): extracted from
|
|
// internal/api/handler/auth_session_oidc.go via the Option B
|
|
// sibling-file pattern. Package stays `handler`; every external
|
|
// caller of `handler.AuthSessionOIDCHandler.{LoginInitiate,
|
|
// LoginCallback, BackChannelLogout, Logout}` resolves the same
|
|
// way — pure mechanical relocation. The router wiring in
|
|
// internal/api/router/router.go is unaffected.
|
|
//
|
|
// This file holds Section 1 of the original file's three-section
|
|
// layout (per its own package doc-comment): the PUBLIC OIDC
|
|
// HANDSHAKE handlers. These four endpoints are auth-exempt — they
|
|
// run before the caller has a certctl-issued credential:
|
|
//
|
|
// GET /auth/oidc/login?provider=<id> -> 302 to IdP
|
|
// GET /auth/oidc/callback?code=...&state=... -> consume + mint
|
|
// POST /auth/oidc/back-channel-logout -> IdP-initiated
|
|
// POST /auth/logout -> revoke caller's
|
|
//
|
|
// Helpers (h.clearPreLoginCookie / h.clearSessionCookies /
|
|
// h.recordAudit / clientIPFromRequest / classifyOIDCFailure) stay
|
|
// in auth_session_oidc.go alongside the AuthSessionOIDCHandler
|
|
// struct + constructor — same-package resolution makes the calls
|
|
// reach across the file boundary at zero compile-time cost.
|
|
|
|
// =============================================================================
|
|
// 1. Public OIDC handshake handlers.
|
|
// =============================================================================
|
|
|
|
// LoginInitiate handles GET /auth/oidc/login?provider=<id>.
|
|
//
|
|
// Generates state + nonce + PKCE-S256 verifier (in OIDCService),
|
|
// persists the pre-login row, sets the certctl_oidc_pending cookie,
|
|
// 302-redirects to the IdP authorization URL.
|
|
func (h *AuthSessionOIDCHandler) LoginInitiate(w http.ResponseWriter, r *http.Request) {
|
|
providerID := strings.TrimSpace(r.URL.Query().Get("provider"))
|
|
if providerID == "" {
|
|
Error(w, http.StatusBadRequest, "missing required query parameter `provider`")
|
|
return
|
|
}
|
|
// Audit 2026-05-10 MED-16 — capture clientIP + UA at /auth/oidc/login
|
|
// so HandleCallback can reject a stolen pre-login cookie replayed
|
|
// from a different browser/source. clientIPFromRequest already
|
|
// honours the LOW-5 trusted-proxy gating; r.UserAgent() reads the
|
|
// header verbatim.
|
|
loginIP := clientIPFromRequest(r)
|
|
loginUA := r.UserAgent()
|
|
authURL, cookieValue, _, err := h.oidcSvc.HandleAuthRequest(r.Context(), providerID, loginIP, loginUA)
|
|
if err != nil {
|
|
// Provider not found is the most common case; map to 404.
|
|
if errors.Is(err, repository.ErrOIDCProviderNotFound) {
|
|
Error(w, http.StatusNotFound, "provider not found")
|
|
return
|
|
}
|
|
// Other errors (disco fetch failure / IdP downgrade defense /
|
|
// crypto failure) are server-side; surface as 500 without
|
|
// leaking details.
|
|
Error(w, http.StatusInternalServerError, "could not initiate OIDC login")
|
|
return
|
|
}
|
|
http.SetCookie(w, &http.Cookie{
|
|
Name: sessiondomain.PreLoginCookieName,
|
|
Value: cookieValue,
|
|
// Audit 2026-05-10 MED-14 — `__Host-` prefix requires Path=/.
|
|
// The cookie lives 10 minutes and is only ever consumed by the
|
|
// callback handler; the wider path scope is harmless.
|
|
Path: "/",
|
|
MaxAge: int((10 * time.Minute).Seconds()),
|
|
Secure: h.cookieAttrs.Secure,
|
|
HttpOnly: true,
|
|
// Pre-login cookie MUST be SameSite=Lax (cannot be Strict
|
|
// because the IdP-initiated callback is a top-level navigation
|
|
// from a different origin per Phase 5 spec).
|
|
SameSite: http.SameSiteLaxMode,
|
|
})
|
|
http.Redirect(w, r, authURL, http.StatusFound)
|
|
}
|
|
|
|
// LoginCallback handles GET /auth/oidc/callback?code=...&state=....
|
|
//
|
|
// Reads the certctl_oidc_pending cookie, drives OIDCService.HandleCallback
|
|
// (which parses + HMAC-verifies the cookie, runs the 11-step token
|
|
// validation, group-claim resolution, role-mapping, user-upsert),
|
|
// mints a post-login session via SessionService.Create, deletes the
|
|
// pre-login cookie, sets the post-login cookie + CSRF token cookie,
|
|
// and 302's to the dashboard.
|
|
func (h *AuthSessionOIDCHandler) LoginCallback(w http.ResponseWriter, r *http.Request) {
|
|
q := r.URL.Query()
|
|
code := strings.TrimSpace(q.Get("code"))
|
|
state := strings.TrimSpace(q.Get("state"))
|
|
// Audit 2026-05-10 MED-17 — RFC 9207 iss URL parameter. NOT
|
|
// trimmed; preserved exactly as sent so the service-layer compare
|
|
// against the matched provider's IssuerURL is byte-strict. The IdP
|
|
// emits this only when advertised in its discovery doc; the
|
|
// service-layer check is a no-op otherwise.
|
|
callbackIss := q.Get("iss")
|
|
if code == "" || state == "" {
|
|
Error(w, http.StatusBadRequest, "missing code or state query parameter")
|
|
return
|
|
}
|
|
preLoginCookie, err := r.Cookie(sessiondomain.PreLoginCookieName)
|
|
if err != nil || preLoginCookie.Value == "" {
|
|
Error(w, http.StatusBadRequest, "missing pre-login cookie")
|
|
h.recordAudit(r.Context(), "auth.oidc_login_failed", "anonymous", domain.ActorTypeSystem, "",
|
|
map[string]interface{}{"failure_category": "missing_pre_login_cookie"})
|
|
return
|
|
}
|
|
clientIP := clientIPFromRequest(r)
|
|
userAgent := r.UserAgent()
|
|
|
|
res, err := h.oidcSvc.HandleCallback(r.Context(), preLoginCookie.Value, code, state, callbackIss, clientIP, userAgent)
|
|
if err != nil {
|
|
// Audit 2026-05-10 HIGH-7 — instead of a blank 400, redirect
|
|
// to /login?error=oidc_failed&reason=<category>. The LoginPage
|
|
// reads the query params and renders an operator-friendly
|
|
// alert. The audit row still carries the specific
|
|
// failure_category so server-side observability is unchanged.
|
|
category := classifyOIDCFailure(err)
|
|
h.recordAudit(r.Context(), "auth.oidc_login_failed", "anonymous", domain.ActorTypeSystem, "",
|
|
map[string]interface{}{"failure_category": category})
|
|
// Special-case unmapped groups so the audit row name distinguishes
|
|
// it from generic failures (operator-policy decision).
|
|
if category == "unmapped_groups" {
|
|
h.recordAudit(r.Context(), "auth.oidc_login_unmapped_groups", "anonymous", domain.ActorTypeSystem, "",
|
|
map[string]interface{}{})
|
|
}
|
|
// Always clear the pre-login cookie on failure.
|
|
h.clearPreLoginCookie(w)
|
|
// 302 to the login page; the reason categorizes the failure for
|
|
// the GUI to render. Keep the redirect target relative — the
|
|
// SPA serves /login.
|
|
http.Redirect(w, r, "/login?error=oidc_failed&reason="+category, http.StatusFound)
|
|
return
|
|
}
|
|
|
|
// res from the OIDC service already carries cookieValue + CSRFToken
|
|
// (the OIDC service wraps SessionService internally per Phase 3).
|
|
// We re-emit them via the standard Set-Cookie helper here so cookie
|
|
// attributes stay handler-controlled.
|
|
now := time.Now().UTC()
|
|
expires := now.Add(8 * time.Hour) // matches default SessionConfig.AbsoluteTimeout
|
|
http.SetCookie(w, &http.Cookie{
|
|
Name: sessiondomain.PostLoginCookieName,
|
|
Value: res.CookieValue,
|
|
Path: "/",
|
|
Expires: expires,
|
|
Secure: h.cookieAttrs.Secure,
|
|
HttpOnly: true,
|
|
SameSite: h.cookieAttrs.SameSite,
|
|
})
|
|
http.SetCookie(w, &http.Cookie{
|
|
Name: sessiondomain.CSRFCookieName,
|
|
Value: res.CSRFToken,
|
|
Path: "/",
|
|
Expires: expires,
|
|
Secure: h.cookieAttrs.Secure,
|
|
HttpOnly: false, // intentional — GUI must read this to echo header
|
|
SameSite: h.cookieAttrs.SameSite,
|
|
})
|
|
h.clearPreLoginCookie(w)
|
|
|
|
userID := ""
|
|
if res.User != nil {
|
|
userID = res.User.ID
|
|
}
|
|
h.recordAudit(r.Context(), "auth.oidc_login_succeeded", userID, domain.ActorTypeUser, userID,
|
|
map[string]interface{}{
|
|
"user_id": userID,
|
|
"role_ids": res.RoleIDs,
|
|
})
|
|
h.recordAudit(r.Context(), "auth.session_created", userID, domain.ActorTypeUser, userID,
|
|
map[string]interface{}{"user_id": userID})
|
|
|
|
http.Redirect(w, r, h.postLoginURL, http.StatusFound)
|
|
}
|
|
|
|
// BackChannelLogout handles POST /auth/oidc/back-channel-logout.
|
|
//
|
|
// OpenID Connect Back-Channel Logout 1.0. The IdP POSTs a logout_token
|
|
// JWT in the body (form-encoded `logout_token=<jwt>`); certctl validates
|
|
// signature against the IdP's JWKS, validates required claims (iss, aud,
|
|
// iat, jti, events; exactly one of sub or sid; nonce ABSENT), revokes
|
|
// matching sessions, returns 200 with Cache-Control: no-store. Failure
|
|
// modes return 400 per spec §2.6.
|
|
func (h *AuthSessionOIDCHandler) BackChannelLogout(w http.ResponseWriter, r *http.Request) {
|
|
if err := r.ParseForm(); err != nil {
|
|
Error(w, http.StatusBadRequest, "could not parse form body")
|
|
return
|
|
}
|
|
logoutToken := strings.TrimSpace(r.FormValue("logout_token"))
|
|
if logoutToken == "" {
|
|
Error(w, http.StatusBadRequest, "missing logout_token in form body")
|
|
return
|
|
}
|
|
issuer, sub, sid, jti, _, err := h.bclVerifier.Verify(r.Context(), logoutToken)
|
|
if err != nil {
|
|
// Per spec §2.6 — uniform 400 on any validation failure. The
|
|
// audit row carries the specific reason; the wire stays uniform.
|
|
// iat-skew rejections (Audit 2026-05-10 HIGH-3 iat-window check)
|
|
// land here too — the reason string distinguishes them.
|
|
h.recordAudit(r.Context(), "auth.oidc_back_channel_logout_failed", "anonymous", domain.ActorTypeSystem, "",
|
|
map[string]interface{}{"failure_reason": err.Error()})
|
|
Error(w, http.StatusBadRequest, "logout_token validation failed")
|
|
return
|
|
}
|
|
|
|
// Audit 2026-05-10 HIGH-3 — jti consumed-set. Atomic single-use
|
|
// semantics via the postgres ON CONFLICT DO NOTHING path. On
|
|
// replay return 200 + audit outcome=jti_replayed (RFC 9700 §2.7).
|
|
// On transient repo error return 503 so the IdP follows its retry
|
|
// semantics. When the consumer is nil (test path / pre-fix
|
|
// deployments) the consume step is skipped.
|
|
if h.bclReplay != nil && jti != "" {
|
|
ttl := h.bclMaxAge * 2
|
|
if ttl < 24*time.Hour {
|
|
ttl = 24 * time.Hour
|
|
}
|
|
if cerr := h.bclReplay.ConsumeJTI(r.Context(), jti, issuer, ttl); cerr != nil {
|
|
if errors.Is(cerr, repository.ErrBCLJTIAlreadyConsumed) {
|
|
h.recordAudit(r.Context(), "auth.oidc_back_channel_logout", "anonymous", domain.ActorTypeSystem, sub,
|
|
map[string]interface{}{"issuer": issuer, "subject": sub, "jti": jti, "outcome": "jti_replayed"})
|
|
w.Header().Set("Cache-Control", "no-store")
|
|
w.WriteHeader(http.StatusOK)
|
|
return
|
|
}
|
|
// Transient — let the IdP retry.
|
|
h.recordAudit(r.Context(), "auth.oidc_back_channel_logout_failed", "anonymous", domain.ActorTypeSystem, sub,
|
|
map[string]interface{}{"issuer": issuer, "subject": sub, "jti": jti, "outcome": "jti_consume_failed", "err": cerr.Error()})
|
|
http.Error(w, "transient", http.StatusServiceUnavailable)
|
|
return
|
|
}
|
|
}
|
|
|
|
// Resolve target sessions:
|
|
// - sub set: revoke ALL sessions for the actor (oidc_subject lookup).
|
|
// - sid set: revoke the specific session_id.
|
|
if sid != "" {
|
|
if rerr := h.sessionSvc.Revoke(r.Context(), sid); rerr != nil {
|
|
// Idempotent at the repo layer; rerr is unlikely. Audit
|
|
// regardless and return 200 (the IdP shouldn't retry on
|
|
// our errors).
|
|
_ = rerr
|
|
}
|
|
h.recordAudit(r.Context(), "auth.oidc_back_channel_logout", "anonymous", domain.ActorTypeSystem, sid,
|
|
map[string]interface{}{"sub_or_sid": "sid", "issuer": issuer, "session_id": sid})
|
|
} else if sub != "" {
|
|
// CRIT-2 closure of the 2026-05-10 audit. Pre-fix this branch called
|
|
// RevokeAllForActor(sub, "User") under the false assumption that
|
|
// the OIDC subject was used as the actor_id stem. In reality,
|
|
// internal/auth/oidc/service.go::upsertUser mints
|
|
// u.ID = "u-" + randomB64URL(16) and stores the OIDC subject in
|
|
// a separate column, so the pre-fix lookup never found a session
|
|
// row and the error was silently swallowed. BCL silently revoked
|
|
// nothing — CWE-613.
|
|
//
|
|
// The fix resolves the IdP-signed `iss` claim back to a provider
|
|
// row via providerRepo.List + IssuerURL filter, then resolves
|
|
// sub → user.ID via userRepo.GetByOIDCSubject, then revokes all
|
|
// sessions for that actor. Outcome categories audited:
|
|
// - revoked (happy path)
|
|
// - issuer_unknown (iss doesn't match any configured provider)
|
|
// - user_unknown (provider matched, but no user.id seeded for this subject)
|
|
// - revoke_failed (DB hiccup at the revoke step)
|
|
// - provider_lookup_failed / user_lookup_failed → 503 (transient; IdP retries)
|
|
// All success-shaped outcomes return 200 + Cache-Control: no-store
|
|
// per OIDC BCL 1.0 §2.7. Transient errors return 503 so the IdP
|
|
// follows its own retry semantics.
|
|
providers, plerr := h.providerRepo.List(r.Context(), h.tenantID)
|
|
if plerr != nil {
|
|
h.recordAudit(r.Context(), "auth.oidc_back_channel_logout", "anonymous", domain.ActorTypeSystem, sub,
|
|
map[string]interface{}{"sub_or_sid": "sub", "issuer": issuer, "subject": sub, "outcome": "provider_lookup_failed"})
|
|
http.Error(w, "transient", http.StatusServiceUnavailable)
|
|
return
|
|
}
|
|
var matched *oidcdomain.OIDCProvider
|
|
for _, p := range providers {
|
|
if p.IssuerURL == issuer {
|
|
matched = p
|
|
break
|
|
}
|
|
}
|
|
if matched == nil {
|
|
h.recordAudit(r.Context(), "auth.oidc_back_channel_logout", "anonymous", domain.ActorTypeSystem, sub,
|
|
map[string]interface{}{"sub_or_sid": "sub", "issuer": issuer, "subject": sub, "outcome": "issuer_unknown"})
|
|
// Idempotent — return 200 per spec.
|
|
w.Header().Set("Cache-Control", "no-store")
|
|
w.WriteHeader(http.StatusOK)
|
|
return
|
|
}
|
|
|
|
user, uerr := h.userRepo.GetByOIDCSubject(r.Context(), matched.ID, sub)
|
|
if uerr != nil {
|
|
if errors.Is(uerr, repository.ErrUserNotFound) {
|
|
// Idempotent: nothing to revoke. IdP may BCL a user we
|
|
// never logged in. RFC compliance: still 200.
|
|
h.recordAudit(r.Context(), "auth.oidc_back_channel_logout", "anonymous", domain.ActorTypeSystem, sub,
|
|
map[string]interface{}{"sub_or_sid": "sub", "issuer": issuer, "subject": sub, "outcome": "user_unknown"})
|
|
w.Header().Set("Cache-Control", "no-store")
|
|
w.WriteHeader(http.StatusOK)
|
|
return
|
|
}
|
|
// Transient — let the IdP retry.
|
|
h.recordAudit(r.Context(), "auth.oidc_back_channel_logout", "anonymous", domain.ActorTypeSystem, sub,
|
|
map[string]interface{}{"sub_or_sid": "sub", "issuer": issuer, "subject": sub, "outcome": "user_lookup_failed"})
|
|
http.Error(w, "transient", http.StatusServiceUnavailable)
|
|
return
|
|
}
|
|
|
|
if rerr := h.sessionSvc.RevokeAllForActor(r.Context(), user.ID, string(domain.ActorTypeUser)); rerr != nil {
|
|
// Revoke failed — BCL is best-effort per §2.8; still 200,
|
|
// audit the failure.
|
|
h.recordAudit(r.Context(), "auth.oidc_back_channel_logout", user.ID, domain.ActorTypeUser, sub,
|
|
map[string]interface{}{"sub_or_sid": "sub", "issuer": issuer, "subject": sub, "outcome": "revoke_failed"})
|
|
w.Header().Set("Cache-Control", "no-store")
|
|
w.WriteHeader(http.StatusOK)
|
|
return
|
|
}
|
|
|
|
h.recordAudit(r.Context(), "auth.oidc_back_channel_logout", user.ID, domain.ActorTypeUser, sub,
|
|
map[string]interface{}{"sub_or_sid": "sub", "issuer": issuer, "subject": sub, "outcome": "revoked"})
|
|
}
|
|
// Per spec §2.7 — Cache-Control: no-store on success.
|
|
w.Header().Set("Cache-Control", "no-store")
|
|
w.WriteHeader(http.StatusOK)
|
|
}
|
|
|
|
// Logout handles POST /auth/logout. Revokes the caller's current
|
|
// session. Permission: own session (any authenticated caller).
|
|
func (h *AuthSessionOIDCHandler) Logout(w http.ResponseWriter, r *http.Request) {
|
|
caller, err := callerFromRequest(r)
|
|
if err != nil {
|
|
writeAuthError(w, err)
|
|
return
|
|
}
|
|
// Resolve the caller's session via the cookie -> Validate path.
|
|
sessionCookie, cerr := r.Cookie(sessiondomain.PostLoginCookieName)
|
|
if cerr != nil || sessionCookie.Value == "" {
|
|
// No cookie => nothing to revoke; treat as success (idempotent).
|
|
h.clearSessionCookies(w)
|
|
w.WriteHeader(http.StatusNoContent)
|
|
return
|
|
}
|
|
sess, verr := h.sessionSvc.Validate(r.Context(), sessionsvc.ValidateInput{
|
|
CookieValue: sessionCookie.Value,
|
|
ClientIP: clientIPFromRequest(r),
|
|
UserAgent: r.UserAgent(),
|
|
})
|
|
if verr != nil {
|
|
// Cookie is invalid; clear + 204 (idempotent).
|
|
h.clearSessionCookies(w)
|
|
w.WriteHeader(http.StatusNoContent)
|
|
return
|
|
}
|
|
if rerr := h.sessionSvc.Revoke(r.Context(), sess.ID); rerr != nil {
|
|
Error(w, http.StatusInternalServerError, "could not revoke session")
|
|
return
|
|
}
|
|
// Audit 2026-05-11 Fix 13 — HIGH-2 fourth call site. Rotate the CSRF
|
|
// token on the actor's remaining sessions so a token captured in
|
|
// this device's browser pre-logout (DevTools, malicious extension,
|
|
// session-storage leak) can't be replayed against a sibling session
|
|
// (other browser, other device) after the user logged out here.
|
|
// The just-revoked session also rotates but its CSRF lookup will
|
|
// fail at the sessions table's revoked_at IS NOT NULL filter
|
|
// anyway; rotation on the revoked row is harmless. RotateCSRFTokenForActor
|
|
// returns the count rotated and NEVER errors — rotation is defense
|
|
// in depth and must not block the logout success.
|
|
rotated := h.sessionSvc.RotateCSRFTokenForActor(r.Context(), caller.ActorID, string(caller.ActorType))
|
|
h.recordAudit(r.Context(), "auth.session_revoked", caller.ActorID, caller.ActorType, sess.ID,
|
|
map[string]interface{}{"session_id": sess.ID, "self_initiated": true, "csrf_rotated": rotated})
|
|
h.clearSessionCookies(w)
|
|
w.WriteHeader(http.StatusNoContent)
|
|
}
|