diff --git a/pkg/handler/handler_callback.go b/pkg/handler/handler_callback.go index 5f90e65..4e31f88 100644 --- a/pkg/handler/handler_callback.go +++ b/pkg/handler/handler_callback.go @@ -17,6 +17,7 @@ import ( retrypkg "github.com/nais/wonderwall/pkg/retry" ) +// Callback handles the authentication response from the identity provider. func (h *Handler) Callback(w http.ResponseWriter, r *http.Request) { // unconditionally clear login cookie h.clearLoginCookies(w) diff --git a/pkg/handler/handler_default.go b/pkg/handler/handler_default.go index db931c2..fd98861 100644 --- a/pkg/handler/handler_default.go +++ b/pkg/handler/handler_default.go @@ -8,7 +8,7 @@ import ( "github.com/nais/wonderwall/pkg/session" ) -// Default proxies all requests upstream +// Default proxies all requests upstream. func (h *Handler) Default(w http.ResponseWriter, r *http.Request) { isAuthenticated := false diff --git a/pkg/handler/handler_frontchannellogout.go b/pkg/handler/handler_frontchannellogout.go index 3437ab2..94847a7 100644 --- a/pkg/handler/handler_frontchannellogout.go +++ b/pkg/handler/handler_frontchannellogout.go @@ -8,7 +8,7 @@ import ( logentry "github.com/nais/wonderwall/pkg/middleware" ) -// FrontChannelLogout triggers logout triggered by a third-party. +// FrontChannelLogout performs a local logout initiated by a third party in the SSO circle-of-trust. func (h *Handler) FrontChannelLogout(w http.ResponseWriter, r *http.Request) { logger := logentry.LogEntry(r) diff --git a/pkg/handler/handler_login.go b/pkg/handler/handler_login.go index 7bee0cd..132d051 100644 --- a/pkg/handler/handler_login.go +++ b/pkg/handler/handler_login.go @@ -19,6 +19,7 @@ const ( LoginCookieLifetime = 1 * time.Hour ) +// Login initiates the authorization code flow. func (h *Handler) Login(w http.ResponseWriter, r *http.Request) { login, err := h.Client.Login(r) if err != nil { diff --git a/pkg/handler/handler_logout.go b/pkg/handler/handler_logout.go index dfd0107..8487424 100644 --- a/pkg/handler/handler_logout.go +++ b/pkg/handler/handler_logout.go @@ -13,15 +13,22 @@ import ( "github.com/nais/wonderwall/pkg/session" ) -// Logout triggers self-initiated for the current user +// Logout triggers self-initiated logout for the current user. func (h *Handler) Logout(w http.ResponseWriter, r *http.Request) { logger := logentry.LogEntry(r) + logout, err := h.Client.Logout() + if err != nil { + h.InternalError(w, r, err) + return + } + var idToken string sessionData, err := h.getSessionFromCookie(w, r) if err == nil && sessionData != nil { idToken = sessionData.IDToken + err = h.destroySession(w, r, h.localSessionID(sessionData.ExternalSessionID)) if err != nil && !errors.Is(err, session.KeyNotFoundError) { h.InternalError(w, r, fmt.Errorf("logout: destroying session: %w", err)) @@ -40,12 +47,6 @@ func (h *Handler) Logout(w http.ResponseWriter, r *http.Request) { h.Loginstatus.ClearCookie(w, h.CookieOptions) } - logout, err := h.Client.Logout() - if err != nil { - h.InternalError(w, r, err) - return - } - logger.Info("logout: redirecting to identity provider") metrics.ObserveLogout(metrics.LogoutOperationSelfInitiated) http.Redirect(w, r, logout.SingleLogoutURL(idToken), http.StatusTemporaryRedirect) diff --git a/pkg/handler/handler_logout_callback.go b/pkg/handler/handler_logout_callback.go index c62f07c..478c703 100644 --- a/pkg/handler/handler_logout_callback.go +++ b/pkg/handler/handler_logout_callback.go @@ -6,7 +6,7 @@ import ( logentry "github.com/nais/wonderwall/pkg/middleware" ) -// LogoutCallback handles the callback from the self-initiated logout for the current user +// LogoutCallback handles the callback initiated by the self-initiated logout after single-logout at the identity provider. func (h *Handler) LogoutCallback(w http.ResponseWriter, r *http.Request) { redirect := h.Client.LogoutCallback(r).PostLogoutRedirectURI() diff --git a/pkg/handler/handler_test.go b/pkg/handler/handler_test.go index 495fb6c..2bc8dde 100644 --- a/pkg/handler/handler_test.go +++ b/pkg/handler/handler_test.go @@ -86,6 +86,7 @@ func TestHandler_LogoutCallback(t *testing.T) { defer idp.Close() rpClient := idp.RelyingPartyClient() + login(t, rpClient, idp) logout(t, rpClient, idp) }