photoprism/internal/api/oauth_logout_test.go
Michael Mayer 50976f427e Auth: Add RP-initiated OIDC logout via PHOTOPRISM_OIDC_LOGOUT #5684 #5433
Sign-out of an OIDC session redirects the browser to the provider's
discovered end_session_endpoint (id_token_hint + absolute
post_logout_redirect_uri) when PHOTOPRISM_OIDC_LOGOUT is enabled, so the
provider SSO session ends and the next login re-prompts. Opt-in (default
off); local/LDAP logout and providers without an end-session endpoint fall
back to local logout.

Adds the shared CE /api/v1/oauth/logout route and OAuthLogoutHandler hook
plus the Portal OP end_session_endpoint advertised in the Portal discovery
document, for Portal builds to serve via the override hook.
2026-06-24 17:21:00 +02:00

59 lines
1.7 KiB
Go

package api
import (
"net/http"
"testing"
"github.com/gin-gonic/gin"
"github.com/stretchr/testify/assert"
"github.com/photoprism/photoprism/internal/config"
)
func TestOAuthLogout(t *testing.T) {
t.Run("PublicMode", func(t *testing.T) {
app, router, _ := NewApiTest()
OAuthLogout(router)
r := PerformRequest(app, http.MethodGet, "/api/v1/oauth/logout")
assert.Equal(t, http.StatusForbidden, r.Code)
})
t.Run("DefaultNotImplemented", func(t *testing.T) {
app, router, conf := NewApiTest()
conf.SetAuthMode(config.AuthModePasswd)
defer conf.SetAuthMode(config.AuthModePublic)
OAuthLogout(router)
r := PerformRequest(app, http.MethodGet, "/api/v1/oauth/logout")
assert.Equal(t, http.StatusMethodNotAllowed, r.Code)
})
t.Run("PostRouteRegistered", func(t *testing.T) {
app, router, conf := NewApiTest()
conf.SetAuthMode(config.AuthModePasswd)
defer conf.SetAuthMode(config.AuthModePublic)
OAuthLogout(router)
r := PerformRequest(app, http.MethodPost, "/api/v1/oauth/logout")
assert.Equal(t, http.StatusMethodNotAllowed, r.Code)
})
t.Run("OverrideHookDelegates", func(t *testing.T) {
app, router, _ := NewApiTest()
OAuthLogout(router)
prev := OAuthLogoutHandler
OAuthLogoutHandler = func(c *gin.Context) { c.String(http.StatusOK, "delegated:"+c.Request.Method) }
defer func() { OAuthLogoutHandler = prev }()
get := PerformRequest(app, http.MethodGet, "/api/v1/oauth/logout")
assert.Equal(t, http.StatusOK, get.Code)
assert.Equal(t, "delegated:GET", get.Body.String())
post := PerformRequest(app, http.MethodPost, "/api/v1/oauth/logout")
assert.Equal(t, http.StatusOK, post.Code)
assert.Equal(t, "delegated:POST", post.Body.String())
})
}