fix: logout api

supertokens · Sep 20, 2024 · 49c51d7 · 49c51d7
1 parent 7c2842e
commit 49c51d7
Show file tree

Hide file tree

Showing 2 changed files with 42 additions and 12 deletions.
diff --git a/src/main/java/io/supertokens/oauth/OAuth.java b/src/main/java/io/supertokens/oauth/OAuth.java
@@ -514,9 +514,39 @@ public static void revokeSessionHandle(Main main, AppIdentifier appIdentifier, S
         oauthStorage.revoke(appIdentifier, "session_handle", sessionHandle);
 	}
 
-    public static void verifyIdTokenAndClientIdForLogout(Main main, AppIdentifier appIdentifier, Storage storage,
-            String idTokenHint, String clientId) throws StorageQueryException, OAuthAPIException {
-
-    }
+    public static void verifyIdTokenHintClientIdAndUpdateQueryParamsForLogout(Main main, AppIdentifier appIdentifier, Storage storage,
+            Map<String, String> queryParams) throws StorageQueryException, OAuthAPIException, TenantOrAppNotFoundException, UnsupportedJWTSigningAlgorithmException, StorageTransactionLogicException {
+
+        String idTokenHint = queryParams.get("idTokenHint");
+        String clientId = queryParams.get("clientId");
+
+        JsonObject idTokenPayload = null;
+        if (idTokenHint != null) {
+            queryParams.remove("idTokenHint");
 
+            try {
+                idTokenPayload = OAuthToken.getPayloadFromJWTToken(appIdentifier, main, idTokenHint);
+            } catch (TryRefreshTokenException e) {
+                // invalid id token
+                throw new OAuthAPIException("invalid_request", "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed.", 400);
+            }
+        }
+
+        if (idTokenPayload != null) {
+            if (!idTokenPayload.has("stt") || idTokenPayload.get("stt").getAsInt() != OAuthToken.TokenType.ID_TOKEN.getValue()) {
+                // Invalid id token
+                throw new OAuthAPIException("invalid_request", "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed.", 400);
+            }
+
+            String clientIdInIdTokenPayload = idTokenPayload.get("aud").getAsString();
+
+            if (clientId != null) {
+                if (!clientId.equals(clientIdInIdTokenPayload)) {
+                    throw new OAuthAPIException("invalid_request", "The client_id in the id_token_hint does not match the client_id in the request.", 400);
+                }
+            }
+
+            queryParams.put("clientId", clientIdInIdTokenPayload);
+        }
+    }
 }
diff --git a/src/main/java/io/supertokens/webserver/api/oauth/OAuthLogoutAPI.java b/src/main/java/io/supertokens/webserver/api/oauth/OAuthLogoutAPI.java
@@ -2,20 +2,22 @@
 
 import java.io.IOException;
 import java.util.HashMap;
+import java.util.Map;
 
 import com.google.gson.JsonObject;
 
 import io.supertokens.Main;
+import io.supertokens.jwt.exceptions.UnsupportedJWTSigningAlgorithmException;
 import io.supertokens.multitenancy.exception.BadPermissionException;
 import io.supertokens.oauth.HttpRequestForOry;
 import io.supertokens.oauth.OAuth;
 import io.supertokens.oauth.exceptions.OAuthAPIException;
 import io.supertokens.pluginInterface.RECIPE_ID;
 import io.supertokens.pluginInterface.Storage;
 import io.supertokens.pluginInterface.exceptions.StorageQueryException;
+import io.supertokens.pluginInterface.exceptions.StorageTransactionLogicException;
 import io.supertokens.pluginInterface.multitenancy.AppIdentifier;
 import io.supertokens.pluginInterface.multitenancy.exceptions.TenantOrAppNotFoundException;
-import io.supertokens.webserver.InputParser;
 import io.supertokens.webserver.WebserverAPI;
 import jakarta.servlet.ServletException;
 import jakarta.servlet.http.HttpServletRequest;
@@ -33,24 +35,22 @@ public String getPath() {
 
     @Override
     protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException, ServletException {
-        String idTokenHint = InputParser.getQueryParamOrThrowError(req, "idTokenHint", true);
-        String clientId = InputParser.getQueryParamOrThrowError(req, "clientId", true);
-
         try {
             AppIdentifier appIdentifier = getAppIdentifier(req);
             Storage storage = enforcePublicTenantAndGetPublicTenantStorage(req);
 
-            OAuth.verifyIdTokenAndClientIdForLogout(main, appIdentifier, storage, idTokenHint, clientId);
+            Map<String, String> queryParams = OAuthProxyHelper.defaultGetQueryParamsFromRequest(req);
+            OAuth.verifyIdTokenHintClientIdAndUpdateQueryParamsForLogout(main, appIdentifier, storage, queryParams);
 
             HttpRequestForOry.Response response = OAuthProxyHelper.proxyGET(
                 main, req, resp,
                 appIdentifier,
                 storage,
-                null, // clientIdToCheck
+                queryParams.get("clientId"), // clientIdToCheck
                 "/oauth2/sessions/logout", // proxyPath
                 false, // proxyToAdmin
                 true, // camelToSnakeCaseConversion
-                OAuthProxyHelper.defaultGetQueryParamsFromRequest(req),
+                queryParams,
                 new HashMap<>() // headers
             );
 
@@ -66,7 +66,7 @@ protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IO
 
         } catch (OAuthAPIException e) {
             OAuthProxyHelper.handleOAuthAPIException(resp, e);
-        } catch (IOException | TenantOrAppNotFoundException | BadPermissionException | StorageQueryException e) {
+        } catch (IOException | TenantOrAppNotFoundException | BadPermissionException | StorageQueryException | UnsupportedJWTSigningAlgorithmException | StorageTransactionLogicException e) {
             throw new ServletException(e);
         }
     }