fix(auth): GET /v1/auth/logout 302s directly to url; /logout page lands on / #70

Merged

YousifShkara merged 1 commit from fix/logout-honors-final-url into main

2026-06-06 03:18:17 +02:00

YousifShkara commented

2026-06-06 03:18:11 +02:00

Owner

Two related changes so a "Log out" click actually feels like signing out, instead of bouncing through another login screen.

GET /v1/auth/logout?url=<x> (bunyip-api). Previously: clear cookies, then 302 to {web_origin}/login?redirect={url}&checked=1. The param name url implied "where to send the browser afterwards", but the handler treated it as "where to send the browser AFTER the user signs back in", forcing every caller to land on the Bunyip login form. Child-app SPAs (mokosh-clients) that called this endpoint to clean up the SSO session ended up on the Bunyip login form instead of their own landing page. Now: clear cookies, 302 directly to url. The same domain validation still applies, so logout cannot redirect off the apex; what changes is the path between "cookies cleared" and "browser arrives". This matches the OIDC RP-initiated logout shape (post_logout_redirect_uri).

GET /logout (bunyip-web). Previously: post-logout target was always /login. Same UX problem: clicking "Log out" served a login form. Now: default target is / (bunyip homepage). The ?redirect= query param escape hatch is preserved for callers that genuinely want the post-logout login-then-redirect chain (session-timeout banners, expired-cookie recovery), so existing flows that pass ?redirect=/something keep working.

Companion mokosh-clients change to point the SPA's logout url at its own origin (msp.a8n.systems) ships separately.

Two related changes so a "Log out" click actually feels like signing out, instead of bouncing through another login screen. `GET /v1/auth/logout?url=<x>` (bunyip-api). Previously: clear cookies, then 302 to `{web_origin}/login?redirect={url}&checked=1`. The param name `url` implied "where to send the browser afterwards", but the handler treated it as "where to send the browser AFTER the user signs back in", forcing every caller to land on the Bunyip login form. Child-app SPAs (mokosh-clients) that called this endpoint to clean up the SSO session ended up on the Bunyip login form instead of their own landing page. Now: clear cookies, 302 directly to `url`. The same domain validation still applies, so logout cannot redirect off the apex; what changes is the path between "cookies cleared" and "browser arrives". This matches the OIDC RP-initiated logout shape (`post_logout_redirect_uri`). `GET /logout` (bunyip-web). Previously: post-logout target was always `/login`. Same UX problem: clicking "Log out" served a login form. Now: default target is `/` (bunyip homepage). The `?redirect=` query param escape hatch is preserved for callers that genuinely want the post-logout login-then-redirect chain (session-timeout banners, expired-cookie recovery), so existing flows that pass `?redirect=/something` keep working. Companion mokosh-clients change to point the SPA's logout `url` at its own origin (msp.a8n.systems) ships separately.

YousifShkara self-assigned this

2026-06-06 03:18:11 +02:00

YousifShkara added 1 commit

2026-06-06 03:18:11 +02:00

fix(auth): GET /v1/auth/logout 302s directly to url; /logout page lands on /

Create release / Create release from merged PR (pull_request) Has been skipped

Details

Check / fmt / clippy / build / test (pull_request) Successful in 1m20s

Details

942b837639

Two related changes so a "Log out" click actually feels like signing out, instead of bouncing through another login screen.

`GET /v1/auth/logout?url=<x>` (bunyip-api). Previously: clear cookies, then 302 to `{web_origin}/login?redirect={url}&checked=1`. The param name `url` implied "where to send the browser afterwards", but the handler treated it as "where to send the browser AFTER the user signs back in", forcing every caller to land on the Bunyip login form. Child-app SPAs (mokosh-clients) that called this endpoint to clean up the SSO session ended up on the Bunyip login form instead of their own landing page. Now: clear cookies, 302 directly to `url`. The same domain validation still applies, so logout cannot redirect off the apex; what changes is the path between "cookies cleared" and "browser arrives". This matches the OIDC RP-initiated logout shape (`post_logout_redirect_uri`).

`GET /logout` (bunyip-web). Previously: post-logout target was always `/login`. Same UX problem: clicking "Log out" served a login form. Now: default target is `/` (bunyip homepage). The `?redirect=` query param escape hatch is preserved for callers that genuinely want the post-logout login-then-redirect chain (session-timeout banners, expired-cookie recovery), so existing flows that pass `?redirect=/something` keep working.

Companion mokosh-clients change to point the SPA's logout `url` at its own origin (msp.a8n.systems) ships separately.

YousifShkara merged commit 98ca4dc634 into main

2026-06-06 03:18:17 +02:00

YousifShkara deleted branch fix/logout-honors-final-url

2026-06-06 03:18:17 +02:00

YousifShkara referenced this pull request from a commit

2026-06-06 03:18:18 +02:00

Merge pull request 'fix(auth): GET /v1/auth/logout 302s directly to url; /logout page lands on /' (#70) from fix/logout-honors-final-url into main