fix(auth): RP-initiated Keycloak logout + PKCE verifier race
Clicking logout previously only called supabase.auth.signOut(): Keycloak's SSO cookie was untouched, so the (app) layout's $effect immediately re-fired login() and Keycloak silently re-authenticated — logout looked broken. That same chain also surfaced "PKCE code verifier not found in storage" on prod, since signOut()'s async storage clear could race signInWithOAuth()'s verifier write, or the $effect could double-fire and overwrite verifiers mid-flight. - logout(): signOut() then redirect to Keycloak's end_session endpoint (client_id + post_logout_redirect_uri=/logged-out). Keycloak shows a one-click "Do you want to log out?" confirmation because GoTrue's proxy flow does not expose the id_token, so we can't pass id_token_hint. - isLoggingOut flag + guard in (app) layout $effect: prevents auto-relogin during the logout navigation. - New public /logged-out route, outside the (app) group. - A-05 rewritten, new A-07 (fresh login must prompt for credentials after RP-initiated logout). - pgTAP 008 extended with 4 assertions for migration 014's UPDATE trigger. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -1,6 +1,18 @@
|
||||
import { browser } from '$app/environment';
|
||||
import {
|
||||
PUBLIC_KEYCLOAK_URL,
|
||||
PUBLIC_KEYCLOAK_REALM,
|
||||
PUBLIC_KEYCLOAK_CLIENT_ID
|
||||
} from '$env/static/public';
|
||||
import { getSupabase } from '$lib/supabase';
|
||||
|
||||
/**
|
||||
* Set for the duration of the logout flow so the (app) layout's auth-gate
|
||||
* $effect doesn't race us by calling login() between signOut() and the
|
||||
* Keycloak end-session redirect.
|
||||
*/
|
||||
export let isLoggingOut = false;
|
||||
|
||||
/**
|
||||
* Redirect to Keycloak login via GoTrue OAuth proxy.
|
||||
* GoTrue handles the PKCE exchange; the browser lands at /auth/callback.
|
||||
@@ -20,10 +32,34 @@ export async function login(redirectTo?: string): Promise<void> {
|
||||
}
|
||||
|
||||
/**
|
||||
* Sign out from Supabase (clears local session).
|
||||
* The Keycloak session remains active — the user won't be asked for credentials
|
||||
* again on next login unless they also log out from the Keycloak Account Console.
|
||||
* RP-initiated OIDC logout: clear the Supabase session AND end the Keycloak
|
||||
* SSO session, then land on a public /logged-out page.
|
||||
*
|
||||
* Why both: `supabase.auth.signOut()` only clears GoTrue state. If we don't
|
||||
* also hit Keycloak's end-session endpoint, the Keycloak SSO cookie survives
|
||||
* and the next `signInWithOAuth()` silently re-authenticates — making logout
|
||||
* look broken. It also eliminates a race where the (app) layout's auth
|
||||
* effect re-fires `login()` before navigation and can clobber the PKCE
|
||||
* verifier mid-flight ("PKCE code verifier not found in storage" on prod).
|
||||
*
|
||||
* Keycloak's `post.logout.redirect.uris` is set to "+" so any registered
|
||||
* redirect URI (including `${origin}/*`) is valid as a post-logout target;
|
||||
* passing `client_id` is sufficient — `id_token_hint` is not exposed by
|
||||
* GoTrue's proxy path, so we rely on client_id + post_logout_redirect_uri.
|
||||
*/
|
||||
export async function logout(): Promise<void> {
|
||||
if (!browser) return;
|
||||
|
||||
isLoggingOut = true;
|
||||
|
||||
await getSupabase().auth.signOut();
|
||||
|
||||
const postLogoutRedirect = `${window.location.origin}/logged-out`;
|
||||
const endSession = new URL(
|
||||
`${PUBLIC_KEYCLOAK_URL}/realms/${PUBLIC_KEYCLOAK_REALM}/protocol/openid-connect/logout`
|
||||
);
|
||||
endSession.searchParams.set('client_id', PUBLIC_KEYCLOAK_CLIENT_ID);
|
||||
endSession.searchParams.set('post_logout_redirect_uri', postLogoutRedirect);
|
||||
|
||||
window.location.assign(endSession.toString());
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user