core/authenticate: redirect to /.pomerium/signed_out when no signout redirect url is defined (#5060)

2025-07-26 13:09:47 +02:00 · 2024-04-10 13:39:07 -06:00 · 2024-04-10 13:39:07 -06:00 · 5f800300a4
commit 5f800300a4
parent 991fca496c
2 changed files with 30 additions and 5 deletions
--- a/authenticate/handlers.go
+++ b/authenticate/handlers.go
@ -237,6 +237,11 @@ func (a *Authenticate) signOutRedirect(w http.ResponseWriter, r *http.Request) e
 		log.Warn(r.Context()).Err(err).Msg("authenticate: failed to get sign out url for authenticator")
 	}

+	// if the authenticator failed to sign out, and no sign out url is defined, just go to the signed out page
+	if signOutURL == "" {
+		signOutURL = authenticateSignedOutURL
+	}
+
 	httputil.Redirect(w, r, signOutURL, http.StatusFound)
 	return nil
 }
--- a/authenticate/handlers_test.go
+++ b/authenticate/handlers_test.go
@ -132,6 +132,7 @@ func TestAuthenticate_SignOut(t *testing.T) {
 		sessionStore sessions.SessionStore
 		wantCode     int
 		wantBody     string
+		wantLocation string
 	}{
 		{
 			"good post",
@ -145,6 +146,7 @@ func TestAuthenticate_SignOut(t *testing.T) {
 			&mstore.Store{Encrypted: true, Session: &sessions.State{}},
 			http.StatusFound,
 			"",
+			"https://corp.pomerium.io/",
 		},
 		{
 			"signout redirect url",
@ -158,6 +160,21 @@ func TestAuthenticate_SignOut(t *testing.T) {
 			&mstore.Store{Encrypted: true, Session: &sessions.State{}},
 			http.StatusFound,
 			"",
+			"https://signout-redirect-url.example.com",
+		},
+		{
+			"empty redirect url",
+			http.MethodPost,
+			nil,
+			"",
+			"",
+			"sig",
+			"ts",
+			identity.MockProvider{SignOutError: oidc.ErrSignoutNotImplemented},
+			&mstore.Store{Encrypted: true, Session: &sessions.State{}},
+			http.StatusFound,
+			"",
+			"https://authenticate.pomerium.app/.pomerium/signed_out",
 		},
 		{
 			"failed revoke",
@ -171,6 +188,7 @@ func TestAuthenticate_SignOut(t *testing.T) {
 			&mstore.Store{Encrypted: true, Session: &sessions.State{}},
 			http.StatusFound,
 			"",
+			"https://corp.pomerium.io/",
 		},
 		{
 			"load session error",
@ -184,6 +202,7 @@ func TestAuthenticate_SignOut(t *testing.T) {
 			&mstore.Store{Encrypted: true, Session: &sessions.State{}},
 			http.StatusFound,
 			"",
+			"https://corp.pomerium.io/",
 		},
 		{
 			"bad redirect uri",
@ -197,6 +216,7 @@ func TestAuthenticate_SignOut(t *testing.T) {
 			&mstore.Store{Encrypted: true, Session: &sessions.State{}},
 			http.StatusFound,
 			"",
+			"/corp.pomerium.io/",
 		},
 	}
 	for _, tt := range tests {
@ -224,7 +244,9 @@ func TestAuthenticate_SignOut(t *testing.T) {
 			params, _ := url.ParseQuery(u.RawQuery)
 			params.Add("sig", tt.sig)
 			params.Add("ts", tt.ts)
-			params.Add(urlutil.QueryRedirectURI, tt.redirectURL)
+			if tt.redirectURL != "" {
+				params.Add(urlutil.QueryRedirectURI, tt.redirectURL)
+			}
 			u.RawQuery = params.Encode()
 			r := httptest.NewRequest(tt.method, u.String(), nil)
 			state, err := tt.sessionStore.LoadSession(r)
@ -245,10 +267,8 @@ func TestAuthenticate_SignOut(t *testing.T) {
 			if diff := cmp.Diff(body, tt.wantBody); diff != "" {
 				t.Errorf("handler returned wrong body Body: %s", diff)
 			}
-			if tt.signoutRedirectURL != "" {
-				loc := w.Header().Get("Location")
-				assert.Contains(t, loc, tt.signoutRedirectURL)
-			}
+			loc := w.Header().Get("Location")
+			assert.Equal(t, tt.wantLocation, loc)
 		})
 	}
 }