Remove sso_hint, add sso-clear logout chain through all apps
Some checks failed
Build and Deploy / build-and-deploy (push) Has been cancelled
Some checks failed
Build and Deploy / build-and-deploy (push) Has been cancelled
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
giles
@@ -196,20 +196,13 @@ def register(url_prefix="/auth"):
|
|||||||
qsession[SESSION_USER_KEY] = user_id
|
qsession[SESSION_USER_KEY] = user_id
|
||||||
|
|
||||||
redirect_url = pop_login_redirect_target()
|
redirect_url = pop_login_redirect_target()
|
||||||
resp = redirect(redirect_url, 303)
|
return redirect(redirect_url, 303)
|
||||||
resp.set_cookie(
|
|
||||||
"sso_hint", "1",
|
|
||||||
domain=".rose-ash.com", max_age=30 * 24 * 3600,
|
|
||||||
secure=True, samesite="Lax", httponly=True,
|
|
||||||
)
|
|
||||||
return resp
|
|
||||||
|
|
||||||
@auth_bp.post("/logout/")
|
@auth_bp.post("/logout/")
|
||||||
async def logout():
|
async def logout():
|
||||||
qsession.pop(SESSION_USER_KEY, None)
|
qsession.pop(SESSION_USER_KEY, None)
|
||||||
resp = redirect(account_url("/"))
|
# Chain through all client apps to clear their sessions too
|
||||||
resp.delete_cookie("sso_hint", domain=".rose-ash.com", path="/")
|
return redirect(url_for("auth.sso_logout"))
|
||||||
return resp
|
|
||||||
|
|
||||||
@auth_bp.get("/clear/")
|
@auth_bp.get("/clear/")
|
||||||
async def clear():
|
async def clear():
|
||||||
@@ -217,16 +210,25 @@ def register(url_prefix="/auth"):
|
|||||||
qsession.clear()
|
qsession.clear()
|
||||||
resp = redirect(account_url("/"))
|
resp = redirect(account_url("/"))
|
||||||
resp.delete_cookie("blog_session", domain=".rose-ash.com", path="/")
|
resp.delete_cookie("blog_session", domain=".rose-ash.com", path="/")
|
||||||
resp.delete_cookie("sso_hint", domain=".rose-ash.com", path="/")
|
|
||||||
return resp
|
return resp
|
||||||
|
|
||||||
@auth_bp.get("/sso-logout/")
|
@auth_bp.get("/sso-logout/")
|
||||||
async def sso_logout():
|
async def sso_logout():
|
||||||
"""SSO logout: clear account session + sso_hint, redirect to blog."""
|
"""SSO logout: clear account session, then chain through all client
|
||||||
|
apps so each clears its own first-party session cookie."""
|
||||||
qsession.pop(SESSION_USER_KEY, None)
|
qsession.pop(SESSION_USER_KEY, None)
|
||||||
from shared.infrastructure.urls import blog_url
|
|
||||||
resp = redirect(blog_url("/"))
|
from shared.infrastructure.urls import blog_url, market_url, cart_url, events_url, federation_url
|
||||||
resp.delete_cookie("sso_hint", domain=".rose-ash.com", path="/")
|
from urllib.parse import quote
|
||||||
return resp
|
|
||||||
|
# Build redirect chain: blog → market → cart → events → federation → blog home
|
||||||
|
final = blog_url("/")
|
||||||
|
chain = federation_url(f"/auth/sso-clear?next={quote(final, safe='')}")
|
||||||
|
chain = events_url(f"/auth/sso-clear?next={quote(chain, safe='')}")
|
||||||
|
chain = cart_url(f"/auth/sso-clear?next={quote(chain, safe='')}")
|
||||||
|
chain = market_url(f"/auth/sso-clear?next={quote(chain, safe='')}")
|
||||||
|
chain = blog_url(f"/auth/sso-clear?next={quote(chain, safe='')}")
|
||||||
|
|
||||||
|
return redirect(chain)
|
||||||
|
|
||||||
return auth_bp
|
return auth_bp
|
||||||
|
|||||||
2
shared
2
shared
Submodule shared updated: 223491fad5...a93a456ac5
Reference in New Issue
Block a user