feat: add logout endpoint

author: mo khan <mo@mokhan.ca> 2025-04-25 22:40:59 -0600
committer: mo khan <mo@mokhan.ca> 2025-04-28 09:07:31 -0600
commit: af084321226b2adbe18c8a538435feda662cbad0 (patch)
tree: 3b7cfd6cce984ee43c0097c3b20ca9e73bb6a47a
parent: 4030e9c36ebd22d2e9c647a1ba286390361b4f63 (diff)
3 files changed, 22 insertions, 1 deletions
diff --git a/app/controllers/sessions/controller.go b/app/controllers/sessions/controller.go
index 08002a2..7e706e7 100644
--- a/app/controllers/sessions/controller.go
+++ b/app/controllers/sessions/controller.go
@@ -25,6 +25,7 @@ func New(cfg *oidc.OpenID, http *http.Client) *Controller {
 func (c *Controller) MountTo(mux *http.ServeMux) {
 	mux.HandleFunc("GET /session/new", c.New)
 	mux.HandleFunc("GET /session/callback", c.Create)
+	mux.HandleFunc("POST /session/destroy", c.Destroy)
 }
 
 func (c *Controller) New(w http.ResponseWriter, r *http.Request) {
@@ -138,3 +139,8 @@ func (c *Controller) Create(w http.ResponseWriter, r *http.Request) {
 	http.SetCookie(w, cookie.New("session", encoded, tokens.Expiry))
 	http.Redirect(w, r, "/dashboard", http.StatusFound)
 }
+
+func (c *Controller) Destroy(w http.ResponseWriter, r *http.Request) {
+	cookie.Expire(w, r, "session")
+	http.Redirect(w, r, "/", http.StatusFound)
+}
diff --git a/app/controllers/sessions/controller_test.go b/app/controllers/sessions/controller_test.go
index 46c32fd..e325afc 100644
--- a/app/controllers/sessions/controller_test.go
+++ b/app/controllers/sessions/controller_test.go
@@ -6,6 +6,7 @@ import (
 	"net/http"
 	"net/url"
 	"testing"
+	"time"
 
 	"github.com/oauth2-proxy/mockoidc"
 	"github.com/stretchr/testify/assert"
@@ -13,6 +14,7 @@ import (
 	"github.com/xlgmokha/x/pkg/x"
 	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/oidc"
 	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/test"
+	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/web/cookie"
 )
 
 func TestSessions(t *testing.T) {
@@ -131,4 +133,17 @@ func TestSessions(t *testing.T) {
 			})
 		})
 	})
+
+	t.Run("POST /session/destroy", func(t *testing.T) {
+		t.Run("clears the session cookie", func(t *testing.T) {
+			cookie := cookie.New("session", "value", time.Now().Add(5*time.Minute))
+			r, w := test.RequestResponse("POST", "/session/destroy", test.WithCookie(cookie))
+
+			mux.ServeHTTP(w, r)
+
+			require.Equal(t, http.StatusFound, w.Code)
+			assert.Equal(t, "/", w.Header().Get("Location"))
+			assert.Equal(t, "session=; Path=/; Domain=localhost; Expires=Thu, 01 Jan 1970 00:00:00 GMT; Max-Age=0; HttpOnly; Secure", w.Header().Get("Set-Cookie"))
+		})
+	})
 }
diff --git a/pkg/web/cookie/reset.go b/pkg/web/cookie/reset.go
index 1686343..87e815e 100644
--- a/pkg/web/cookie/reset.go
+++ b/pkg/web/cookie/reset.go
@@ -30,7 +30,7 @@ func Clear(cookie *http.Cookie) *http.Cookie {
 	cookie.Path = "/"
 	cookie.HttpOnly = true
 	cookie.Secure = true
-	cookie.SameSite = http.SameSiteNoneMode
+	cookie.SameSite = http.SameSiteDefaultMode
 	cookie.Domain = env.Fetch("HOST", "localhost")
 	return cookie
 }
author	mo khan <mo@mokhan.ca>	2025-04-25 22:40:59 -0600
committer	mo khan <mo@mokhan.ca>	2025-04-28 09:07:31 -0600
commit	af084321226b2adbe18c8a538435feda662cbad0 (patch)
tree	3b7cfd6cce984ee43c0097c3b20ca9e73bb6a47a
parent	4030e9c36ebd22d2e9c647a1ba286390361b4f63 (diff)