Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Check user matches logout request before reporting logout success #619

Merged
merged 18 commits into from
Dec 1, 2021
Merged

Check user matches logout request before reporting logout success #619

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
18 commits
Select commit Hold shift + click to select a range
df81d0f
Check user matches logout request before reporting logout success
cjbarth Jul 1, 2021
80fc3a2
Refactor user comparison based on PR feedback
cjbarth Jul 2, 2021
591a1d8
Adjust tests to match improved logic
cjbarth Jul 2, 2021
e845fc0
Merge remote-tracking branch 'upstream/master' into validate-logout
cjbarth Aug 27, 2021
461dfc4
Update lockfile
cjbarth Sep 20, 2021
cade87c
Add new verify function for handling logout
cjbarth Oct 1, 2021
dd54b26
Cleanup readme
cjbarth Oct 1, 2021
1ede2eb
Update issue templates
cjbarth Oct 1, 2021
e999000
Update tests to support separate login and logout callbacks
cjbarth Oct 27, 2021
9cc27c4
Merge remote-tracking branch 'upstream/master' into validate-logout
cjbarth Oct 27, 2021
0ba8425
New lockfile
cjbarth Oct 27, 2021
117308b
Trying to fix fsevents problem
cjbarth Oct 27, 2021
7424968
Pin beta package
cjbarth Oct 28, 2021
d013a82
Merge branch 'master' into validate-logout
cjbarth Nov 17, 2021
b0a05be
Merge remote-tracking branch 'upstream/master' into validate-logout
cjbarth Nov 29, 2021
63a5f63
Merge remote-tracking branch 'refs/remotes/upstream/master'
cjbarth Nov 29, 2021
4907edd
Fix package-lock.json
cjbarth Nov 29, 2021
02f0eac
Fix package-lock.json again
cjbarth Nov 29, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
25 changes: 13 additions & 12 deletions src/strategy.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -60,11 +60,6 @@ export abstract class AbstractStrategy extends PassportStrategy {
}) => {
if (loggedOut) {
if (profile != null) {
if (this._saml == null) {
throw new Error("Can't get logout response URL without a SAML provider defined.");
}

const getLogoutResponseUrl = this._saml.getLogoutResponseUrl;
// When logging out a user, use the consumer's `validate` function to check that
// the `profile` associated with the logout request resolves to the same user
// as the `profile` associated with the current session.
cjbarth marked this conversation as resolved.
Show resolved Hide resolved
Expand All @@ -89,16 +84,22 @@ export abstract class AbstractStrategy extends PassportStrategy {
}

const RelayState = req.query?.RelayState || req.body?.RelayState;
getLogoutResponseUrl(profile, RelayState, options, userMatch, redirectIfSuccess);

// Log out the current user no matter if we can verify the logged in user === logout requested user
req.logout();

if (!userMatch) {
if (this._saml == null) {
return this.error(
new Error("Attempting to log out a user that differs from the current user.")
new Error("Can't get logout response URL without a SAML provider defined.")
);
} else {
this._saml.getLogoutResponseUrl(
profile,
RelayState,
options,
userMatch,
redirectIfSuccess
);
}

// Log out the current user no matter if we can verify the logged in user === logout requested user
req.logout();
cjbarth marked this conversation as resolved.
Show resolved Hide resolved
};

if (this._passReqToCallback) {
Expand Down
7 changes: 2 additions & 5 deletions src/types.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,14 +31,11 @@ export type VerifiedCallback = (

export type VerifyWithRequest = (
req: express.Request,
profile: Profile | null | undefined,
profile: Profile | null,
done: VerifiedCallback
) => void;

export type VerifyWithoutRequest = (
profile: Profile | null | undefined,
done: VerifiedCallback
) => void;
export type VerifyWithoutRequest = (profile: Profile | null, done: VerifiedCallback) => void;

export type StrategyOptionsCallback = (err: Error | null, samlOptions?: SamlConfig) => void;

Expand Down
4 changes: 2 additions & 2 deletions test/capturedSamlRequests.spec.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -925,7 +925,7 @@ describe("captured SAML requests /", function () {
config.entryPoint = "https://wwwexampleIdp.com/saml";
let profile: Profile;
const strategy = new SamlStrategy(config, function (
_profile: Profile | null | undefined,
_profile: Profile | null,
done: VerifiedCallback
) {
if (_profile) {
Expand Down Expand Up @@ -1030,7 +1030,7 @@ describe("captured SAML requests /", function () {
config.entryPoint = "https://wwwexampleIdp.com/saml";
let profile: Profile;
const strategy = new SamlStrategy(config, function (
_profile: Profile | null | undefined,
_profile: Profile | null,
done: VerifiedCallback
) {
if (_profile) {
Expand Down
7 changes: 2 additions & 5 deletions test/capturedSamlResponses.spec.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -110,10 +110,7 @@ describe("captured saml responses /", function () {
config.callbackUrl = "http://localhost:3033/login";
let profile: Profile;
pp.use(
new SamlStrategy(config, function (
_profile: Profile | null | undefined,
done: VerifiedCallback
): void {
new SamlStrategy(config, function (_profile: Profile | null, done: VerifiedCallback): void {
if (_profile) {
profile = _profile;
done(null, { id: profile.nameID });
Expand Down Expand Up @@ -180,7 +177,7 @@ describe("captured saml responses /", function () {
pp.use(
new SamlStrategy(config, function (
req: express.Request,
_profile: Profile | null | undefined,
_profile: Profile | null,
done: VerifiedCallback
) {
if (_profile) {
Expand Down
42 changes: 28 additions & 14 deletions test/strategy.spec.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
"use strict";

import * as sinon from "sinon";
import { SAML, Strategy as SamlStrategy } from "../src";
import { RequestWithUser } from "../src/types";
import { Profile, SAML, Strategy as SamlStrategy } from "../src";
import { RequestWithUser, VerifiedCallback } from "../src/types";
import { FAKE_CERT } from "./types";

const noop = () => undefined;
Expand Down Expand Up @@ -79,22 +79,29 @@ describe("strategy#authorize", function () {
});

it("determines that logout was unsuccessful where user doesn't match", function (done) {
const strategy = new SamlStrategy({ cert: FAKE_CERT }, noop);
const strategy = new SamlStrategy({ cert: FAKE_CERT }, function (
_profile: Profile | null,
done: VerifiedCallback
) {
if (_profile) {
done(null, { name: _profile.nameID });
}
});

validatePostResponseAsync.resolves({
profile: {
ID: "ID",
issuer: "issuer",
nameID: "nameID",
nameID: "some other user",
nameIDFormat: "nameIDFormat",
},
loggedOut: true,
});

// Pretend we already loaded a users session from a cookie or something
// by calling `strategy.authenticate` when the request comes in
requestWithUserPostResponse.user = {
ID: "ID",
issuer: "issuer",
nameID: "otherNameID",
nameIDFormat: "nameIDFormat",
name: "some user",
};

// This returns immediately, but calls async functions; need to turn event loop
Expand All @@ -115,22 +122,29 @@ describe("strategy#authorize", function () {
});

it("determines that logout was successful where user matches", function (done) {
const strategy = new SamlStrategy({ cert: FAKE_CERT }, noop);
const strategy = new SamlStrategy({ cert: FAKE_CERT }, function (
_profile: Profile | null,
done: VerifiedCallback
) {
if (_profile) {
done(null, { name: _profile.nameID });
}
});

validatePostResponseAsync.resolves({
profile: {
ID: "ID",
issuer: "issuer",
nameID: "nameID",
nameID: "some user",
nameIDFormat: "nameIDFormat",
},
loggedOut: true,
});

// Pretend we already loaded a users session from a cookie or something
// by calling `strategy.authenticate` when the request comes in
requestWithUserPostResponse.user = {
ID: "ID",
issuer: "issuer",
nameID: "nameID",
nameIDFormat: "nameIDFormat",
name: "some user",
};

// This returns immediately, but calls async functions; need to turn event loop
Expand Down