Support logging out

[vaunus]

What would you like to be added:

I would like the lambda to be capable of catching a predefined logout uri which then triggers a logout.

From my understanding this would require the lambda to do the following:

• Remove all ${this._cookieBase}.* cookies.
• Redirect to https://${this._userPoolDomain}/logout?redirect_uri=${redirectURI}&response_type=code&client_id=${this._userPoolAppId} to clear any Cognito cookies. Cognito then redirects to its own /login page.

I would propose adding an optional parameter to the Authenticator such as logoutUri. If this is set, for example to /logout and the user hits this uri, we trigger the above behaviour.
If this parameter is not set, the lambda works exactly as it does currently.

Why is this needed:

Right now this library has greatly simplified our authentication flow which is brilliant and it has been very simple to set up. We intend on using it to protect many internal apps, but logging out is not so simple as I need to implement this logic across each app my lambda protects.

I will be happy to open a PR with all of the above functionality if a contributor can confirm this sounds reasonable. If you have any comments on the proposed implementation please let me know. 🙂

[jeandek]

Hi Vaughan, I'm glad that this package is useful for you, but I don't think what you are describing is a good fit.

Logging out and invalidating Cognito tokens should be handled by your application. For example, it can be done using the Amplify framework. You can also write your own implementation that calls the Cognito LOGOUT endpoint if you don't want or can't use Amplify, but it should live client-side. From a Lambda function, it would not be possible to clear the user's cookies.

Please tell me if I'm missing something.

[vaunus]

No problem @jeandek I will adapt our own custom lambda for these purposes then.

FYI it is definitely possible to clear cookies via the lambda. I already have this working via my POC lambda. Just set Expires=Thu Jan 01 1970 00:00:00 GMT+0000 (Coordinated Universal Time); or some other date in the past. I believe this is how cookies are expired server side anyway.

Anyway, I will close the issue for now, thanks for getting back to me 👍🏻

[jeandek]

TIL, I did not know about expiring cookies from the server.

I discussed your request with the team and we agreed that it could be a useful feature to have in some environments. The implementation you described in the original post also would not increase the package's complexity unreasonably. If you're willing to submit a PR, we'd be happy to review it.

[vigneshprabhud]

@vaunus I have the same problem as you mentioned. How did to manage to clear cookies and redirect to logout url of Cognito? Is there a snippet that you could share? thanks.

[vaunus]

@vigneshprabhud you need to setup a logout uri as part of your lambda logic and then do a 302 redirect and clear the cookies as part of that same lambda response.

Something like this:

const { request } = event.Records[0].cf

if (request.uri === '/logout') {
  const location = `https://${userPoolDomain}/logout?redirect_uri=${url.origin}&response_type=code&client_id=${userPoolAppId}&state=${state}`

  const response = {
    status: '302',
    headers: {
      location: [{ key: 'Location', value: location }],
      'set-cookie': [
        `cookie1=; Domain=${cookieDomain}; Expires=${new Date(0)}; Secure`,
        `cookie2=; Domain=${cookieDomain}; Expires=${new Date(0)}; Secure`
      ]
    }
  }
}

Hope that helps!