N21-2136 moin schule logout from svs (#3535)

* N21-2136 external logout buttons
hpi-schul-cloud · Nov 12, 2024 · fde330d · fde330d
1 parent 34cd7a1
commit fde330d
Show file tree

Hide file tree

Showing 8 changed files with 65 additions and 6 deletions.
diff --git a/config/default.schema.json b/config/default.schema.json
@@ -625,6 +625,11 @@
 			"type": "boolean",
 			"default": false,
 			"description": "Enables the rooms feature"
+		},
+		"FEATURE_EXTERNAL_SYSTEM_LOGOUT_ENABLED": {
+			"type": "boolean",
+			"default": false,
+			"description": "Enables the external system logout feature"
 		}
 	},
 	"allOf": [

diff --git a/controllers/login.js b/controllers/login.js
@@ -484,4 +484,21 @@ router.get('/logout/', (req, res, next) => {
 		.catch(next);
 });
 
+router.get('/logout/external/', async (req, res, next) => {
+	let redirectUri = '/logout/';
+	if (Configuration.has('OAUTH2_LOGOUT_URI')) {
+		redirectUri = Configuration.get('OAUTH2_LOGOUT_URI');
+	}
+
+	if (res.locals.isExternalLogoutAllowed) {
+		try {
+			await api(req, { version: 'v3' }).post('/logout/external');
+		} catch (err) {
+			logger.error('error during external logout.', formatError(err));
+		}
+	}
+
+	res.redirect(redirectUri);
+});
+
 module.exports = router;
diff --git a/helpers/authentication.js b/helpers/authentication.js
@@ -64,7 +64,7 @@ const clearCookie = async (req, res, options = { destroySession: false }) => {
 			});
 		});
 	}
-	
+
 	res.clearCookie('jwt');
 	// this is deprecated and only used for cookie removal from now on,
 	// and can be removed after one month (max cookie lifetime from life systems)
@@ -101,6 +101,26 @@ const isAuthenticated = (req) => {
 };
 
 const populateCurrentUser = async (req, res) => {
+	async function setExternalSystemFromJwt(decodedJwt) {
+		if (!('systemId' in decodedJwt) && !decodedJwt.systemId) {
+			return;
+		}
+
+		try {
+			const response = await api(req, { version: 'v3' }).get(`/systems/public/${decodedJwt.systemId}`);
+			const hasEndSessionEndpoint = 'oauthConfig' in response
+				&& 'endSessionEndpoint' in response.oauthConfig
+				&& response.oauthConfig.endSessionEndpoint;
+
+			res.locals.isExternalLogoutAllowed = Configuration.get('FEATURE_EXTERNAL_SYSTEM_LOGOUT_ENABLED')
+				&& hasEndSessionEndpoint;
+			res.locals.systemName = response.displayName;
+		} catch (err) {
+			const metadata = { error: err.toString() };
+			logger.error('Unable to find out the external login system used by user', metadata);
+		}
+	}
+
 	let payload = {};
 	if (isJWT(req)) {
 		try {
@@ -129,6 +149,8 @@ const populateCurrentUser = async (req, res) => {
 	}
 
 	if (payload && payload.userId) {
+		await setExternalSystemFromJwt(payload);
+
 		if (res.locals.currentUser && res.locals.currentSchoolData) {
 			return Promise.resolve(res.locals.currentSchoolData);
 		}

diff --git a/locales/de.json b/locales/de.json
@@ -3231,4 +3231,4 @@
 			"createAfterFirstSave": "H5P Inhalte können erst nach dem ersten Speichern erstellt werden."
 		}
 	}
-}
+}
diff --git a/locales/en.json b/locales/en.json
@@ -3231,4 +3231,4 @@
 			"createAfterFirstSave": "H5P contents can only be created after the first save."
 		}
 	}
-}
+}
diff --git a/locales/es.json b/locales/es.json
@@ -3231,4 +3231,4 @@
 			"createAfterFirstSave": "Los contenidos H5P solo se pueden crear después del primer guardado."
 		}
 	}
-}
+}
diff --git a/locales/uk.json b/locales/uk.json
@@ -3240,4 +3240,4 @@
 			"createAfterFirstSave": "Вміст H5P можна створити лише після першого збереження."
 		}
 	}
-}
+}
diff --git a/views/lib/topbar.hbs b/views/lib/topbar.hbs
@@ -59,7 +59,22 @@
                   <hr>
                   {{> "user/forms/language" language=@root.userLanguage }}
                   <li><a class="dropdown-item" data-testid="settings" href="/account/" role="menuitem" aria-label="{{$t 'lib.loggedin.tab_label.settings' }}">{{$t "lib.loggedin.tab_label.settings" }}</a></li>
-                  <li><a class="dropdown-item localstorageclear" data-testid="logout" href= {{#hasConfig "OAUTH2_LOGOUT_URI"}} {{getConfig "OAUTH2_LOGOUT_URI"}} {{else}} "/logout/" {{/hasConfig}} role="menuitem" aria-label="{{$t 'lib.loggedin.tab_label.signOut'}}">{{$t "lib.loggedin.tab_label.signOut"}}</a></li>
+                  {{#if isExternalLogoutAllowed}}
+                      <li><a class="dropdown-item"
+                          data-testid="external-logout"
+                          href="/logout/external/"
+                          role="menuitem"
+                          aria-label="{{$t 'lib.loggedin.tab_label.signOut'}} Bildungscloud & {{ systemName }}">
+                              {{$t 'lib.loggedin.tab_label.signOut'}} Bildungscloud & {{ systemName }}
+                      </a></li>
+                  {{/if}}
+                  <li><a class="dropdown-item localstorageclear"
+                      data-testid="logout"
+                      role="menuitem"
+                      href= {{#hasConfig "OAUTH2_LOGOUT_URI"}} {{getConfig "OAUTH2_LOGOUT_URI"}} {{else}} "/logout/" {{/hasConfig}}
+                      aria-label="{{$t 'lib.loggedin.tab_label.signOut'}}{{#if isExternalLogoutAllowed}} Bildungscloud{{/if}}">
+                          {{$t 'lib.loggedin.tab_label.signOut'}}{{#if isExternalLogoutAllowed}} Bildungscloud{{/if}}
+                  </a></li>
               </ul>
           </div>
       </li>
-Original file line number
+Diff line change
@@ Expand Up / @@ -3231,4 +3231,4 @@ @@
     			"createAfterFirstSave": "H5P Inhalte können erst nach dem ersten Speichern erstellt werden."
     		}
     	}
-    }
+    }