mirror of
https://github.com/photoprism/photoprism.git
synced 2026-07-18 00:59:38 +00:00
Sign-out of an OIDC session redirects the browser to the provider's discovered end_session_endpoint (id_token_hint + absolute post_logout_redirect_uri) when PHOTOPRISM_OIDC_LOGOUT is enabled, so the provider SSO session ends and the next login re-prompts. Opt-in (default off); local/LDAP logout and providers without an end-session endpoint fall back to local logout. Adds the shared CE /api/v1/oauth/logout route and OAuthLogoutHandler hook plus the Portal OP end_session_endpoint advertised in the Portal discovery document, for Portal builds to serve via the override hook.
59 lines
1.7 KiB
Go
59 lines
1.7 KiB
Go
package api
|
|
|
|
import (
|
|
"net/http"
|
|
"testing"
|
|
|
|
"github.com/gin-gonic/gin"
|
|
"github.com/stretchr/testify/assert"
|
|
|
|
"github.com/photoprism/photoprism/internal/config"
|
|
)
|
|
|
|
func TestOAuthLogout(t *testing.T) {
|
|
t.Run("PublicMode", func(t *testing.T) {
|
|
app, router, _ := NewApiTest()
|
|
|
|
OAuthLogout(router)
|
|
|
|
r := PerformRequest(app, http.MethodGet, "/api/v1/oauth/logout")
|
|
assert.Equal(t, http.StatusForbidden, r.Code)
|
|
})
|
|
t.Run("DefaultNotImplemented", func(t *testing.T) {
|
|
app, router, conf := NewApiTest()
|
|
conf.SetAuthMode(config.AuthModePasswd)
|
|
defer conf.SetAuthMode(config.AuthModePublic)
|
|
|
|
OAuthLogout(router)
|
|
|
|
r := PerformRequest(app, http.MethodGet, "/api/v1/oauth/logout")
|
|
assert.Equal(t, http.StatusMethodNotAllowed, r.Code)
|
|
})
|
|
t.Run("PostRouteRegistered", func(t *testing.T) {
|
|
app, router, conf := NewApiTest()
|
|
conf.SetAuthMode(config.AuthModePasswd)
|
|
defer conf.SetAuthMode(config.AuthModePublic)
|
|
|
|
OAuthLogout(router)
|
|
|
|
r := PerformRequest(app, http.MethodPost, "/api/v1/oauth/logout")
|
|
assert.Equal(t, http.StatusMethodNotAllowed, r.Code)
|
|
})
|
|
t.Run("OverrideHookDelegates", func(t *testing.T) {
|
|
app, router, _ := NewApiTest()
|
|
|
|
OAuthLogout(router)
|
|
|
|
prev := OAuthLogoutHandler
|
|
OAuthLogoutHandler = func(c *gin.Context) { c.String(http.StatusOK, "delegated:"+c.Request.Method) }
|
|
defer func() { OAuthLogoutHandler = prev }()
|
|
|
|
get := PerformRequest(app, http.MethodGet, "/api/v1/oauth/logout")
|
|
assert.Equal(t, http.StatusOK, get.Code)
|
|
assert.Equal(t, "delegated:GET", get.Body.String())
|
|
|
|
post := PerformRequest(app, http.MethodPost, "/api/v1/oauth/logout")
|
|
assert.Equal(t, http.StatusOK, post.Code)
|
|
assert.Equal(t, "delegated:POST", post.Body.String())
|
|
})
|
|
}
|