Fanrouver
94 lines
3.7 KiB
TypeScript
94 lines
3.7 KiB
TypeScript
// server/api/auth/logout.post.ts
|
|
export default defineEventHandler(async (event) => {
|
|
try {
|
|
const config = useRuntimeConfig();
|
|
console.log('🚪 Logout handler called');
|
|
|
|
// Get the current session to retrieve tokens
|
|
const sessionId = getCookie(event, 'user_session');
|
|
let idToken = null;
|
|
|
|
if (sessionId) {
|
|
try {
|
|
const { getSession, deleteSession } = await import('~/server/utils/sessionStore');
|
|
const session = getSession(sessionId);
|
|
if (session) {
|
|
idToken = session.idToken;
|
|
console.log('🔑 ID token found in session:', !!idToken);
|
|
// Delete session from store
|
|
deleteSession(sessionId);
|
|
}
|
|
} catch (error) {
|
|
console.warn('⚠️ Could not retrieve session:', error);
|
|
}
|
|
} else {
|
|
console.warn('⚠️ No session cookie found');
|
|
}
|
|
|
|
// Clear all auth-related cookies
|
|
console.log('🧹 Clearing session cookies...');
|
|
deleteCookie(event, 'user_session');
|
|
deleteCookie(event, 'oauth_state');
|
|
|
|
// Also clear with different path variations to be thorough
|
|
deleteCookie(event, 'user_session', { path: '/' });
|
|
deleteCookie(event, 'oauth_state', { path: '/' });
|
|
|
|
console.log('✅ Session cleared successfully');
|
|
|
|
// Construct the Keycloak logout URL with proper parameters
|
|
// IMPORTANT: The post_logout_redirect_uri must be registered in Keycloak client settings
|
|
const logoutUrl = new URL(`${config.keycloakIssuer}/protocol/openid-connect/logout`);
|
|
|
|
// Debug: Log the authUrl being used
|
|
console.log('🔧 Using authUrl from config:', config.public.authUrl);
|
|
|
|
// Build the redirect URI - must match what's configured in Keycloak
|
|
const postLogoutRedirectUri = `${config.public.authUrl}/LoginPage?logout=success`;
|
|
|
|
// Add required parameters for proper Keycloak logout
|
|
logoutUrl.searchParams.set('client_id', config.keycloakClientId);
|
|
logoutUrl.searchParams.set('post_logout_redirect_uri', postLogoutRedirectUri);
|
|
|
|
// If we have an ID token, add it for proper session termination
|
|
// This ensures Keycloak properly terminates the SSO session
|
|
if (idToken) {
|
|
logoutUrl.searchParams.set('id_token_hint', idToken);
|
|
console.log('🔑 Added id_token_hint to logout URL');
|
|
} else {
|
|
console.warn('⚠️ No ID token available for logout hint - logout may not fully terminate Keycloak session');
|
|
}
|
|
|
|
console.log('🔗 Keycloak logout URL constructed:', logoutUrl.toString());
|
|
console.log('📍 Post-logout redirect URI:', postLogoutRedirectUri);
|
|
console.log('⚠️ Make sure this redirect URI is configured in Keycloak client settings!');
|
|
|
|
// Return the logout URL to the client for redirect
|
|
// This approach gives better control to the client-side code
|
|
return {
|
|
success: true,
|
|
logoutUrl: logoutUrl.toString(),
|
|
message: 'Session cleared successfully'
|
|
};
|
|
|
|
} catch (error: any) {
|
|
console.error('❌ Logout error:', error);
|
|
console.error('❌ Error stack:', error.stack);
|
|
|
|
// Even if there's an error, try to provide a basic logout URL
|
|
const config = useRuntimeConfig();
|
|
const postLogoutRedirectUri = `${config.public.authUrl}/LoginPage?logout=success`;
|
|
const fallbackLogoutUrl = new URL(`${config.keycloakIssuer}/protocol/openid-connect/logout`);
|
|
fallbackLogoutUrl.searchParams.set('client_id', config.keycloakClientId);
|
|
fallbackLogoutUrl.searchParams.set('post_logout_redirect_uri', postLogoutRedirectUri);
|
|
|
|
console.warn('⚠️ Using fallback logout URL due to error');
|
|
|
|
return {
|
|
success: false,
|
|
logoutUrl: fallbackLogoutUrl.toString(),
|
|
error: 'Logout encountered an error, but providing fallback logout URL',
|
|
message: error.message
|
|
};
|
|
}
|
|
}); |