fix(authn): harden OIDC logout cookie cleanup and support solid logout aliases

bourgeoa · bourgeoa · commit c1b85da7bb82 · 2026-05-30T17:56:07.000+02:00
add robust session/cookie cleanup on goodbye route in webid-oidc.mjs
support .well-known and /solid logout route aliases before redirecting to goodbye in webid-oidc.mjs
include /solid/logout paths in logout request detection in create-app.mjs
diff --git a/lib/api/authn/webid-oidc.mjs b/lib/api/authn/webid-oidc.mjs
@@ -8,6 +8,7 @@ import bodyParserPkg from 'body-parser'
 import { fromServerConfig } from '../../models/oidc-manager.mjs'
 import { LoginRequest } from '../../requests/login-request.mjs'
 import { SharingRequest } from '../../requests/sharing-request.mjs'
+import debug from '../../debug.mjs'
 
 import restrictToTopDomain from '../../handlers/restrict-to-top-domain.mjs'
 
@@ -21,6 +22,84 @@ const { urlencoded } = bodyParserPkg
 const bodyParser = urlencoded({ extended: false })
 const { AuthCallbackRequest } = oidcAuthManager.handlers
 
+function oidcCookieNames (req) {
+  const provider = req.app?.locals?.oidc?.provider
+  if (!provider || typeof provider.configuration !== 'function') {
+    return []
+  }
+
+  const cookieNames = provider.configuration('cookies')?.names || {}
+  const baseNames = Object.values(cookieNames).filter(Boolean)
+  const expandedNames = baseNames.flatMap(name => [
+    name,
+    `${name}.sig`,
+    `${name}.legacy`,
+    `${name}.legacy.sig`
+  ])
+
+  return Array.from(new Set(expandedNames))
+}
+
+function cookieNamesFromRequest (req) {
+  const cookieHeader = req.headers?.cookie
+  if (!cookieHeader) {
+    return []
+  }
+
+  return cookieHeader
+    .split(';')
+    .map(fragment => fragment.trim())
+    .filter(Boolean)
+    .map(fragment => fragment.split('=')[0].trim())
+    .filter(Boolean)
+}
+
+function clearAuthCookies (res, domain, cookieNames) {
+  const cookiePaths = ['/', '/.oidc']
+  const allCookieNames = Array.from(new Set([
+    'nssidp.sid',
+    'nssidp.sid.sig',
+    'nssidp.sid.legacy',
+    'nssidp.sid.legacy.sig',
+    ...(cookieNames || [])
+  ]))
+
+  for (const path of cookiePaths) {
+    const noDomainOptions = { path }
+    for (const name of allCookieNames) {
+      res.clearCookie(name, noDomainOptions)
+    }
+
+    if (domain) {
+      const domainOptions = { domain, path }
+      for (const name of allCookieNames) {
+        res.clearCookie(name, domainOptions)
+      }
+    }
+  }
+}
+
+function renderGoodbyeAndClearSession (req, res, next) {
+  const domain = req.session?.cookie?.domain
+  const providerCookieNames = oidcCookieNames(req)
+  const incomingCookieNames = cookieNamesFromRequest(req)
+  const cookiesToClear = Array.from(new Set([...providerCookieNames, ...incomingCookieNames]))
+
+  if (!req.session) {
+    clearAuthCookies(res, domain, cookiesToClear)
+    return res.render('auth/goodbye')
+  }
+
+  req.session.destroy((err) => {
+    if (err) {
+      return next(err)
+    }
+
+    clearAuthCookies(res, domain, cookiesToClear)
+    res.render('auth/goodbye')
+  })
+}
+
 /**
  * Sets up OIDC authentication for the given app.
  *
@@ -102,25 +181,21 @@ export function middleware (oidc) {
   router.get('/account/password/change', restrictToTopDomain, PasswordChangeRequest.get)
   router.post('/account/password/change', restrictToTopDomain, bodyParser, PasswordChangeRequest.post)
 
-  router.get(['/.well-known/solid/logout', '/.well-known/solid/logout/'], (req, res) => res.redirect('/logout'))
-
-  router.get('/goodbye', (req, res, next) => {
-    if (!req.session) {
-      return res.render('auth/goodbye')
-    }
-
-    const domain = req.session.cookie && req.session.cookie.domain
-    req.session.destroy((err) => {
-      if (err) {
-        return next(err)
-      }
+  router.get([
+    '/.well-known/solid/logout',
+    '/.well-known/solid/logout/',
+    '/solid/logout',
+    '/solid/logout/'
+  ], (req, res) => {
+    res.redirect('/goodbye')
+  })
 
-      const cookieOptions = domain ? { domain, path: '/' } : { path: '/' }
-      res.clearCookie('nssidp.sid', cookieOptions)
-      res.render('auth/goodbye')
-    })
+  router.get(['/logout', '/logout/'], (req, res) => {
+    res.redirect('/goodbye')
   })
 
+  router.get('/goodbye', renderGoodbyeAndClearSession)
+
   // The relying party callback is called at the end of the OIDC signin process
   router.get('/api/oidc/rp/:issuer_id', AuthCallbackRequest.get)
 
diff --git a/lib/create-app.mjs b/lib/create-app.mjs
@@ -323,6 +323,8 @@ function isLogoutRequest (req) {
   // this code should live in the OIDC module
   return req.path === '/logout' ||
     req.path === '/goodbye' ||
+    req.path === '/solid/logout' ||
+    req.path === '/solid/logout/' ||
     req.path === '/.well-known/solid/logout' ||
     req.path === '/.well-known/solid/logout/'
 }

Original file line number	Diff line number	Diff line change
`@@ -323,6 +323,8 @@ function isLogoutRequest (req) {`
`323`	`323`	`// this code should live in the OIDC module`
`324`	`324`	`return req.path === '/logout' \|\|`
`325`	`325`	`req.path === '/goodbye' \|\|`
	`326`	`+ req.path === '/solid/logout' \|\|`
	`327`	`+ req.path === '/solid/logout/' \|\|`
`326`	`328`	`req.path === '/.well-known/solid/logout' \|\|`
`327`	`329`	`req.path === '/.well-known/solid/logout/'`
`328`	`330`	`}`