From a99790c7ec97126003b75944e65fe04eca579a8b Mon Sep 17 00:00:00 2001
From: Ylian Saint-Hilaire <ysainthilaire@hotmail.com>
Date: Sat, 16 Oct 2021 23:55:34 -0700
Subject: [PATCH] Added auth strategy logout url.

---
 meshcentral-config-schema.json | 21 ++++++++++++++-------
 webserver.js                   | 17 ++++++++++++++++-
 2 files changed, 30 insertions(+), 8 deletions(-)

diff --git a/meshcentral-config-schema.json b/meshcentral-config-schema.json
index c59531a8..a088edbe 100644
--- a/meshcentral-config-schema.json
+++ b/meshcentral-config-schema.json
@@ -740,7 +740,8 @@
                   "newAccounts": { "type": "boolean", "default": false },
                   "newAccountsUserGroups": { "type": "array", "uniqueItems": true, "items": { "type": "string" } },
                   "clientid": { "type": "string" },
-                  "clientsecret": { "type": "string" }
+                  "clientsecret": { "type": "string" },
+                  "logouturl": {"type": "string", "format": "uri", "description": "Then set, the user will be redirected to this URL when hitting the logout link."}
                 },
                 "required": [ "clientid", "clientsecret" ]
               },
@@ -751,7 +752,8 @@
                   "newAccounts": { "type": "boolean", "default": false },
                   "newAccountsUserGroups": { "type": "array", "uniqueItems": true, "items": { "type": "string" } },
                   "clientid": { "type": "string" },
-                  "clientsecret": { "type": "string" }
+                  "clientsecret": { "type": "string" },
+                  "logouturl": {"type": "string", "format": "uri", "description": "Then set, the user will be redirected to this URL when hitting the logout link."}
                 },
                 "required": [ "clientid", "clientsecret" ]
               },
@@ -762,7 +764,8 @@
                   "newAccounts": { "type": "boolean", "default": false },
                   "newAccountsUserGroups": { "type": "array", "uniqueItems": true, "items": { "type": "string" } },
                   "clientid": { "type": "string" },
-                  "clientsecret": { "type": "string" }
+                  "clientsecret": { "type": "string" },
+                  "logouturl": {"type": "string", "format": "uri", "description": "Then set, the user will be redirected to this URL when hitting the logout link."}
                 },
                 "required": [ "clientid", "clientsecret" ]
               },
@@ -773,7 +776,8 @@
                   "newAccounts": { "type": "boolean", "default": false },
                   "newAccountsUserGroups": { "type": "array", "uniqueItems": true, "items": { "type": "string" } },
                   "clientid": { "type": "string" },
-                  "clientsecret": { "type": "string" }
+                  "clientsecret": { "type": "string" },
+                  "logouturl": {"type": "string", "format": "uri", "description": "Then set, the user will be redirected to this URL when hitting the logout link."}
                 },
                 "required": [ "clientid", "clientsecret" ]
               },
@@ -785,7 +789,8 @@
                   "newAccountsUserGroups": { "type": "array", "uniqueItems": true, "items": { "type": "string" } },
                   "clientid": { "type": "string" },
                   "clientsecret": { "type": "string" },
-                  "tenantid": { "type": "string" }
+                  "tenantid": { "type": "string" },
+                  "logouturl": {"type": "string", "format": "uri", "description": "Then set, the user will be redirected to this URL when hitting the logout link."}
                 },
                 "required": [ "clientid", "clientsecret", "tenantid" ]
               },
@@ -797,7 +802,8 @@
                   "newAccountsUserGroups": { "type": "array", "uniqueItems": true, "items": { "type": "string" } },
                   "entityid": { "type": "string" },
                   "idpurl": { "type": "string", "format": "uri" },
-                  "cert": { "type": "string" }
+                  "cert": { "type": "string" },
+                  "logouturl": {"type": "string", "format": "uri", "description": "Then set, the user will be redirected to this URL when hitting the logout link."}
                 },
                 "required": [ "entityid", "idpurl", "cert" ]
               },
@@ -811,7 +817,8 @@
                   "newAccountsRights": { "type": "array", "uniqueItems": true, "items": { "type": "string" } },
                   "entityid": { "type": "string" },
                   "idpurl": { "type": "string", "format": "uri" },
-                  "cert": { "type": "string" }
+                  "cert": { "type": "string" },
+                  "logouturl": {"type": "string", "format": "uri", "description": "Then set, the user will be redirected to this URL when hitting the logout link."}
                 },
                 "required": [ "entityid", "idpurl", "cert" ]
               }
diff --git a/webserver.js b/webserver.js
index d340468d..d5c6baed 100644
--- a/webserver.js
+++ b/webserver.js
@@ -764,13 +764,28 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
 
         res.set({ 'Cache-Control': 'no-store' });
         // Destroy the user's session to log them out will be re-created next request
+        var userid = req.session.userid;
         if (req.session.userid) {
             var user = obj.users[req.session.userid];
             if (user != null) { obj.parent.DispatchEvent(['*'], obj, { etype: 'user', userid: user._id, username: user.name, action: 'logout', msgid: 2, msg: 'Account logout', domain: domain.id }); }
         }
         req.session = null;
-        if (req.query.key != null) { res.redirect(domain.url + '?key=' + req.query.key); } else { res.redirect(domain.url); }
         parent.debug('web', 'handleLogoutRequest: success.');
+
+        // If this user was logged in using an authentication strategy and there is a logout URL, use it.
+        if ((userid != null) && (domain.authstrategies != null)) {
+            const u = userid.split('/')[2];
+            if (u.startsWith('~twitter:') && (domain.authstrategies.twitter != null) && (typeof domain.authstrategies.twitter.logouturl == 'string')) { res.redirect(domain.authstrategies.twitter.logouturl); return; }
+            if (u.startsWith('~google:') && (domain.authstrategies.google != null) && (typeof domain.authstrategies.google.logouturl == 'string')) { res.redirect(domain.authstrategies.google.logouturl); return; }
+            if (u.startsWith('~github:') && (domain.authstrategies.github != null) && (typeof domain.authstrategies.github.logouturl == 'string')) { res.redirect(domain.authstrategies.github.logouturl); return; }
+            if (u.startsWith('~reddit:') && (domain.authstrategies.reddit != null) && (typeof domain.authstrategies.reddit.logouturl == 'string')) { res.redirect(domain.authstrategies.reddit.logouturl); return; }
+            if (u.startsWith('~azure:') && (domain.authstrategies.azure != null) && (typeof domain.authstrategies.azure.logouturl == 'string')) { res.redirect(domain.authstrategies.azure.logouturl); return; }
+            if (u.startsWith('~jumpcloud:') && (domain.authstrategies.jumpcloud != null) && (typeof domain.authstrategies.jumpcloud.logouturl == 'string')) { res.redirect(domain.authstrategies.jumpcloud.logouturl); return; }
+            if (u.startsWith('~saml:') && (domain.authstrategies.saml != null) && (typeof domain.authstrategies.saml.logouturl == 'string')) { res.redirect(domain.authstrategies.saml.logouturl); return; }
+        }
+
+        // This is the default logout redirect to the login page
+        if (req.query.key != null) { res.redirect(domain.url + '?key=' + req.query.key); } else { res.redirect(domain.url); }
     }
 
     // Return true if this user has 2-step auth active