Merge pull request #2961 from owncloud/bugfix/logout-without-id-token

We shall only call the sso end session endpoint in case we still have…
owncloud · Mar 26, 2020 · cd2bb9e · cd2bb9e
2 parents 7c03d42 + 90313f2
commit cd2bb9e
Show file tree

Hide file tree

Showing 3 changed files with 32 additions and 7 deletions.
diff --git a/changelog/unreleased/2961 b/changelog/unreleased/2961
@@ -0,0 +1,8 @@
+Bugfix: Fix logout when no tokens are known anymore
+
+Single Log Out requires the id_token and in cases where this token is no
+longer known calling the SLO endpoint will result in an error.
+
+This has been fixed.
+
+https://github.com/owncloud/phoenix/pull/2961
diff --git a/src/services/auth.js b/src/services/auth.js
@@ -78,6 +78,17 @@ export function initVueAuthenticate (config) {
         }
         return null
       },
+      getStoredUserObject () {
+        const storageString = sessionStorage.getItem('oc_oAuth' + mgr._userStoreKey)
+        if (storageString) {
+          const user = User.fromStorageString(storageString)
+          if (user) {
+            mgr.events.load(user, false)
+            return user
+          }
+        }
+        return null
+      },
       isAuthenticated () {
         return this.getToken() !== null
       },

diff --git a/src/store/user.js b/src/store/user.js
@@ -32,12 +32,18 @@ const actions = {
       // force redirect to login page after logout
       router.push({ name: 'login' })
     }
-    vueAuthInstance.logout()
-      .then(logoutFinalizer)
-      .catch(error => {
-        console.error(error)
-        logoutFinalizer()
-      })
+    // TODO: only call logout if we still have the id token
+    const u = vueAuthInstance.getStoredUserObject()
+    if (u && u.id_token) {
+      vueAuthInstance.logout()
+        .then(logoutFinalizer)
+        .catch(error => {
+          console.error(error)
+          logoutFinalizer()
+        })
+    } else {
+      logoutFinalizer()
+    }
   },
   initAuth (context, payload = { autoRedirect: false }) {
     function init (client, token, doLogin = true) {
@@ -107,7 +113,7 @@ const actions = {
       vueAuthInstance.events().addUserUnloaded(() => {
         console.log('user unloaded…')
         context.dispatch('cleanUpLoginState')
-        router.push({ name: 'accessDenied' })
+        router.push({ name: 'login' })
       })
       vueAuthInstance.events().addSilentRenewError(error => {
         console.error('Silent Renew Error：', error)