Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 5870176

Browse files
EmyrkEmyrk
authored
feat: Also log out of apps if they are hosted on the same domain (coder#4334)
* feat: Also log out of apps if they are hosted on the same domain * Update comment
1 parent 06d7e36 commit 5870176

File tree

1 file changed

+37
-11
lines changed

1 file changed

+37
-11
lines changed

coderd/users.go

+37-11
Original file line numberDiff line numberDiff line change
@@ -1018,6 +1018,43 @@ func (api *API) postLogout(rw http.ResponseWriter, r *http.Request) {
10181018
}
10191019
http.SetCookie(rw, cookie)
10201020

1021+
// Delete the session token from database.
1022+
apiKey := httpmw.APIKey(r)
1023+
err := api.Database.DeleteAPIKeyByID(ctx, apiKey.ID)
1024+
if err != nil {
1025+
httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
1026+
Message: "Internal error deleting API key.",
1027+
Detail: err.Error(),
1028+
})
1029+
return
1030+
}
1031+
1032+
// Deployments should not host app tokens on the same domain as the
1033+
// primary deployment. But in the case they are, we should also delete this
1034+
// token.
1035+
if appCookie, _ := r.Cookie(httpmw.DevURLSessionTokenCookie); appCookie != nil {
1036+
appCookieRemove := &http.Cookie{
1037+
// MaxAge < 0 means to delete the cookie now.
1038+
MaxAge: -1,
1039+
Name: httpmw.DevURLSessionTokenCookie,
1040+
Path: "/",
1041+
Domain: "." + api.AccessURL.Hostname(),
1042+
}
1043+
http.SetCookie(rw, appCookieRemove)
1044+
1045+
id, _, err := httpmw.SplitAPIToken(appCookie.Value)
1046+
if err == nil {
1047+
err = api.Database.DeleteAPIKeyByID(ctx, id)
1048+
if err != nil {
1049+
// Don't block logout, just log any errors.
1050+
api.Logger.Warn(r.Context(), "failed to delete devurl token on logout",
1051+
slog.Error(err),
1052+
slog.F("id", id),
1053+
)
1054+
}
1055+
}
1056+
}
1057+
10211058
// This code should be removed after Jan 1 2023.
10221059
// This code logs out of the old session cookie before we renamed it
10231060
// if it is a valid coder token. Otherwise, this old cookie hangs around
@@ -1036,17 +1073,6 @@ func (api *API) postLogout(rw http.ResponseWriter, r *http.Request) {
10361073
}
10371074
}
10381075

1039-
// Delete the session token from database.
1040-
apiKey := httpmw.APIKey(r)
1041-
err = api.Database.DeleteAPIKeyByID(ctx, apiKey.ID)
1042-
if err != nil {
1043-
httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
1044-
Message: "Internal error deleting API key.",
1045-
Detail: err.Error(),
1046-
})
1047-
return
1048-
}
1049-
10501076
httpapi.Write(ctx, rw, http.StatusOK, codersdk.Response{
10511077
Message: "Logged out!",
10521078
})

0 commit comments

Comments
 (0)