add logout logic and wip recap

2026-02-18 18:08:30 +01:00
parent aca24ca560
commit acbaadff67
29 changed files with 363 additions and 100 deletions
--- a/backend/src/auth/auth.py
+++ b/backend/src/auth/auth.py
@@ -13,7 +13,7 @@ from src.models import UserCreate, User, UserPublic

 import secrets
 import requests
-
+from urllib.parse import urlencode
 import src.messages as messages

 router = APIRouter(prefix='/auth')
@@ -23,24 +23,13 @@ security = HTTPBearer()

@router.get('/logout')
 def logout(
-    id_token: Annotated[str | None, Cookie()] = None,
    refresh_token: Annotated[str | None, Cookie()] = None,
 ):
-    if refresh_token:
-        print("invalidate tokens")
-        requests.post(LOGOUT_URL, data={
-            "client_id": settings.keycloak_client_id,
-            "client_secret": settings.keycloak_client_secret,
-            "refresh_token": refresh_token
-        })
-
-    if id_token:
-        print("redirect keycloak")
-        response = RedirectResponse(f'{LOGOUT_URL}?post_logout_redirect_uri={settings.origins}&id_token_hint={id_token}')
-    else:
-        response = RedirectResponse(settings.origins)
-    
-    print("clear cookies")
+    params = {
+        'client_id': settings.keycloak_client_id,
+        'post_logout_redirect_uri': settings.origins,
+    }
+    response = RedirectResponse(f'{LOGOUT_URL}?{urlencode(params)}')
    response.delete_cookie(
        key='access_token',
        path='/',
@@ -59,6 +48,12 @@ def logout(
        secure=not settings.debug,
        samesite='lax',
    )
+    # if refresh_token:
+    #     requests.post(LOGOUT_URL, data={
+    #         'client_id': settings.keycloak_client_id,
+    #         'client_secret': settings.keycloak_client_secret,
+    #         'refresh_token': refresh_token
+    #     })
    return response


@@ -107,9 +102,9 @@ def callback(code: str, session: Session = Depends(get_session)):
            'refresh_token': token_data['refresh_token'],
        }
        res = requests.post(LOGOUT_URL, data=data)
-        resp = RedirectResponse(settings.origins)
+        resp = RedirectResponse(f'{settings.origins}?userNotAllowed=true')
        return resp
-    resource_access.get(settings.keycloak_client_id)
+    roles = resource_access.get(settings.keycloak_client_id)
    if not roles:
        data = {
            'client_id': settings.keycloak_client_id,
@@ -117,7 +112,7 @@ def callback(code: str, session: Session = Depends(get_session)):
            'refresh_token': token_data['refresh_token'],
        }
        res = requests.post(LOGOUT_URL, data=data)
-        resp = RedirectResponse(settings.origins)
+        resp = RedirectResponse(f'{settings.origins}?userNotAllowed=true')
        return resp

    user_create = UserCreate(