Support OIDC RP-initiated logout

models/auth/auth_token.go

@@ -16,10 +16,13 @@ import (
 var ErrAuthTokenNotExist = util.NewNotExistErrorf("auth token does not exist")
 
 type AuthToken struct { //nolint:revive
-	ID          string `xorm:"pk"`
-	TokenHash   string
-	UserID      int64              `xorm:"INDEX"`
-	ExpiresUnix timeutil.TimeStamp `xorm:"INDEX"`
+	ID            string `xorm:"pk"`
+	TokenHash     string
+	UserID        int64 `xorm:"INDEX"`
+	ExternalID    string
+	LoginSourceID int64
+	LoginType     Type
+	ExpiresUnix   timeutil.TimeStamp `xorm:"INDEX"`
 }
 
 func init() {
@@ -31,6 +34,14 @@ func InsertAuthToken(ctx context.Context, t *AuthToken) error {
 	return err
 }
 
+func ExistAuthToken(ctx context.Context, id string) bool {
+	exist, err := db.Exist[AuthToken](ctx, builder.Eq{"`id`": id})
+	if err != nil {
+		return false
+	}
+	return exist
+}
+
 func GetAuthTokenByID(ctx context.Context, id string) (*AuthToken, error) {
 	at := &AuthToken{}
 

models/auth/external_auth_token.go

@@ -0,0 +1,138 @@
+// Copyright 2024 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package auth
+
+import (
+	"context"
+	"fmt"
+	"time"
+
+	"code.gitea.io/gitea/models/db"
+	"code.gitea.io/gitea/modules/util"
+
+	"xorm.io/builder"
+)
+
+type ErrExternalAuthTokenNotExist struct {
+	SessionID   string
+	AuthTokenID string
+}
+
+func IsErrExternalAuthTokenNotExist(err error) bool {
+	_, ok := err.(ErrExternalAuthTokenNotExist)
+	return ok
+}
+
+func (err ErrExternalAuthTokenNotExist) Error() string {
+	return fmt.Sprintf("external auth token does not exist [sessionID: %s, authTokenID: %s]", err.SessionID, err.AuthTokenID)
+}
+
+func (err ErrExternalAuthTokenNotExist) Unwrap() error {
+	return util.ErrNotExist
+}
+
+type ExternalAuthToken struct {
+	SessionID         string         `xorm:"pk"`
+	AuthTokenID       string         `xorm:"INDEX"`
+	UserID            int64          `xorm:"INDEX NOT NULL"`
+	ExternalID        string         `xorm:"NOT NULL"`
+	LoginSourceID     int64          `xorm:"INDEX NOT NULL"`
+	RawData           map[string]any `xorm:"TEXT JSON"`
+	AccessToken       string         `xorm:"TEXT"`
+	AccessTokenSecret string         `xorm:"TEXT"`
+	RefreshToken      string         `xorm:"TEXT"`
+	ExpiresAt         time.Time
+	IDToken           string `xorm:"TEXT"`
+}
+
+func init() {
+	db.RegisterModel(new(ExternalAuthToken))
+}
+
+func InsertExternalAuthToken(ctx context.Context, t *ExternalAuthToken) error {
+	_, err := db.GetEngine(ctx).Insert(t)
+	return err
+}
+
+func GetExternalAuthTokenBySessionID(ctx context.Context, sessionID string) (*ExternalAuthToken, error) {
+	t := &ExternalAuthToken{}
+	has, err := db.GetEngine(ctx).ID(sessionID).Get(t)
+	if err != nil {
+		return nil, err
+	}
+	if !has {
+		return nil, ErrExternalAuthTokenNotExist{SessionID: sessionID}
+	}
+	return t, nil
+}
+
+func GetExternalAuthTokenByAuthTokenID(ctx context.Context, authTokenID string) (*ExternalAuthToken, error) {
+	t := &ExternalAuthToken{}
+	has, err := db.GetEngine(ctx).Where(builder.Eq{"auth_token_id": authTokenID}).Get(t)
+	if err != nil {
+		return nil, err
+	}
+	if !has {
+		return nil, ErrExternalAuthTokenNotExist{AuthTokenID: authTokenID}
+	}
+	return t, nil
+}
+
+func GetExternalAuthTokenSessionIDsAndAuthTokenIDs(ctx context.Context, userID, loginSourceID int64) ([]*ExternalAuthToken, error) {
+	tlist := []*ExternalAuthToken{}
+	cond := builder.NewCond().And(builder.Eq{"user_id": userID})
+	if loginSourceID > 0 {
+		cond = cond.And(builder.Eq{"login_source_id": loginSourceID})
+	}
+	if err := db.GetEngine(ctx).Cols("session_id", "auth_token_id").Where(cond).Find(&tlist); err != nil {
+		return nil, err
+	}
+	return tlist, nil
+}
+
+func UpdateExternalAuthTokenBySessionID(ctx context.Context, sessionID string, t *ExternalAuthToken) error {
+	_, err := db.GetEngine(ctx).ID(sessionID).AllCols().Update(t)
+	return err
+}
+
+func DeleteExternalAuthTokenBySessionID(ctx context.Context, sessionID string) error {
+	_, err := db.GetEngine(ctx).ID(sessionID).Delete(&ExternalAuthToken{})
+	return err
+}
+
+func DeleteExternalAuthTokensByUserLoginSourceID(ctx context.Context, userID, loginSourceID int64) error {
+	_, err := db.GetEngine(ctx).Where(builder.Eq{"user_id": userID, "login_source_id": loginSourceID}).Delete(&ExternalAuthToken{})
+	return err
+}
+
+func DeleteExternalAuthTokensByUserID(ctx context.Context, userID int64) error {
+	_, err := db.GetEngine(ctx).Where(builder.Eq{"user_id": userID}).Delete(&ExternalAuthToken{})
+	return err
+}
+
+type FindExternalAuthTokenOptions struct {
+	db.ListOptions
+	UserID        int64
+	ExternalID    string
+	LoginSourceID int64
+	OrderBy       string
+}
+
+func (opts FindExternalAuthTokenOptions) ToConds() builder.Cond {
+	cond := builder.NewCond()
+	if opts.UserID > 0 {
+		cond = cond.And(builder.Eq{"user_id": opts.UserID})
+	}
+	if len(opts.ExternalID) > 0 {
+		cond = cond.And(builder.Eq{"external_id": opts.ExternalID})
+	}
+	if opts.LoginSourceID > 0 {
+		cond = cond.And(builder.Eq{"login_source_id": opts.LoginSourceID})
+	}
+	return cond
+}
+
+func (opts FindExternalAuthTokenOptions) ToOrders() string {
+	return opts.OrderBy
+}

models/auth/source.go

@@ -6,6 +6,7 @@ package auth
 
 import (
 	"context"
+	"encoding/gob"
 	"fmt"
 	"reflect"
 
@@ -129,6 +130,7 @@ func (Source) TableName() string {
 
 func init() {
 	db.RegisterModel(new(Source))
+	gob.Register(Type(0))
 }
 
 // BeforeSet is invoked from XORM before setting the value of a field of this object.

models/migrations/migrations.go

@@ -568,6 +568,8 @@ var migrations = []Migration{
 	NewMigration("Add PayloadVersion to HookTask", v1_22.AddPayloadVersionToHookTaskTable),
 	// v291 -> v292
 	NewMigration("Add Index to attachment.comment_id", v1_22.AddCommentIDIndexofAttachment),
+	// v292 -> v293
+	NewMigration("Drop raw_data, access_token, access_token_secret, refresh_token and expires_at columns from external_login_user table", v1_22.DropColumnsFromExternalLoginUserTable),
 }
 
 // GetCurrentDBVersion returns the current db version

models/migrations/v1_22/v292.go

@@ -0,0 +1,37 @@
+// Copyright 2024 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package v1_22 //nolint
+
+import (
+	"time"
+
+	"code.gitea.io/gitea/models/migrations/base"
+
+	"xorm.io/xorm"
+)
+
+func DropColumnsFromExternalLoginUserTable(x *xorm.Engine) error {
+	type ExternalLoginUser struct {
+		RawData           map[string]any `xorm:"TEXT JSON"`
+		AccessToken       string         `xorm:"TEXT"`
+		AccessTokenSecret string         `xorm:"TEXT"`
+		RefreshToken      string         `xorm:"TEXT"`
+		ExpiresAt         time.Time
+	}
+	if err := x.Sync(new(ExternalLoginUser)); err != nil {
+		return err
+	}
+
+	sess := x.NewSession()
+	defer sess.Close()
+	if err := sess.Begin(); err != nil {
+		return err
+	}
+
+	if err := base.DropTableColumns(sess, "external_login_user", "raw_data", "access_token", "access_token_secret", "refresh_token", "expires_at"); err != nil {
+		return err
+	}
+
+	return sess.Commit()
+}

models/user/external_login_user.go

@@ -6,7 +6,6 @@ package user
 import (
 	"context"
 	"fmt"
-	"time"
 
 	"code.gitea.io/gitea/models/db"
 	"code.gitea.io/gitea/modules/util"
@@ -57,23 +56,18 @@ func (err ErrExternalLoginUserNotExist) Unwrap() error {
 
 // ExternalLoginUser makes the connecting between some existing user and additional external login sources
 type ExternalLoginUser struct {
-	ExternalID        string         `xorm:"pk NOT NULL"`
-	UserID            int64          `xorm:"INDEX NOT NULL"`
-	LoginSourceID     int64          `xorm:"pk NOT NULL"`
-	RawData           map[string]any `xorm:"TEXT JSON"`
-	Provider          string         `xorm:"index VARCHAR(25)"`
-	Email             string
-	Name              string
-	FirstName         string
-	LastName          string
-	NickName          string
-	Description       string
-	AvatarURL         string `xorm:"TEXT"`
-	Location          string
-	AccessToken       string `xorm:"TEXT"`
-	AccessTokenSecret string `xorm:"TEXT"`
-	RefreshToken      string `xorm:"TEXT"`
-	ExpiresAt         time.Time
+	ExternalID    string `xorm:"pk NOT NULL"`
+	UserID        int64  `xorm:"INDEX NOT NULL"`
+	LoginSourceID int64  `xorm:"pk NOT NULL"`
+	Provider      string `xorm:"index VARCHAR(25)"`
+	Email         string
+	Name          string
+	FirstName     string
+	LastName      string
+	NickName      string
+	Description   string
+	AvatarURL     string `xorm:"TEXT"`
+	Location      string
 }
 
 type ExternalUserMigrated interface {

modules/session/provider.go

@@ -0,0 +1,16 @@
+// Copyright 2024 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package session
+
+import (
+	"code.gitea.io/gitea/modules/setting"
+)
+
+func GetSessionProvider() (*VirtualSessionProvider, error) {
+	sessionProvider := &VirtualSessionProvider{}
+	if err := sessionProvider.Init(setting.SessionConfig.Gclifetime, setting.SessionConfig.ProviderConfig); err != nil {
+		return nil, err
+	}
+	return sessionProvider, nil
+}

modules/session/virtual.go

@@ -69,7 +69,9 @@ func (o *VirtualSessionProvider) Read(sid string) (session.RawStore, error) {
 
 // Exist returns true if session with given ID exists.
 func (o *VirtualSessionProvider) Exist(sid string) bool {
-	return true
+	o.lock.RLock()
+	defer o.lock.RUnlock()
+	return o.provider.Exist(sid)
 }
 
 // Destroy deletes a session by session ID.

routers/install/install.go

@@ -555,7 +555,7 @@ func SubmitInstall(ctx *context.Context) {
 			u, _ = user_model.GetUserByName(ctx, u.Name)
 		}
 
-		nt, token, err := auth_service.CreateAuthTokenForUserID(ctx, u.ID)
+		nt, token, err := auth_service.CreateAuthTokenForUserID(ctx, u.ID, 0, 0)
 		if err != nil {
 			ctx.ServerError("CreateAuthTokenForUserID", err)
 			return