Add ODIC Back-Channel Logout

.prettierignore

@@ -3,3 +3,5 @@ drop-base/
 pnpm-lock.yaml
 
 torrential/
+.data/**
+**/.data/**

eslint.config.mjs

@@ -1,10 +1,13 @@
 // @ts-check
+import { globalIgnores } from "eslint/config";
 import withNuxt from "./.nuxt/eslint.config.mjs";
 import eslintConfigPrettier from "eslint-config-prettier/flat";
 import vueI18n from "@intlify/eslint-plugin-vue-i18n";
 import noPrismaDelete from "./rules/no-prisma-delete.mts";
 
 export default withNuxt([
+  globalIgnores([".data/*"]),
+
   eslintConfigPrettier,
 
   // vue-i18n plugin

nuxt.config.ts

@@ -2,7 +2,8 @@ import tailwindcss from "@tailwindcss/vite";
 import { execSync } from "node:child_process";
 import { readFileSync, existsSync } from "node:fs";
 import path from "node:path";
-import module from "module";
+import module from "node:module";
+import { fileURLToPath } from "node:url";
 import { type } from "arktype";
 
 const packageJsonSchema = type({
@@ -91,6 +92,11 @@ export default defineNuxtConfig({
 
   routeRules: {
     "/api/**": { cors: true },
+
+    // redirect old OIDC callback route
+    "/auth/callback/oidc": {
+      redirect: "/api/v1/auth/odic/callback",
+    },
   },
 
   nitro: {
@@ -116,7 +122,6 @@ export default defineNuxtConfig({
 
     scheduledTasks: {
       "0 * * * *": ["dailyTasks"],
-      "*/30 * * * *": ["downloadCleanup"],
     },
 
     storage: {
@@ -266,11 +271,7 @@ function getDropVersion(): string {
   // example nightly: "v0.3.0-nightly.2025.05.28"
   const defaultVersion = "v0.0.0-alpha.0";
 
-  // get path
-  const packageJsonPath = path.join(
-    path.dirname(import.meta.url.replace("file://", "")),
-    "package.json",
-  );
+  const packageJsonPath = fileURLToPath(import.meta.resolve("./package.json"));
 
   if (!existsSync(packageJsonPath)) {
     console.error("Could not find package.json, using default version.");

package.json

@@ -44,6 +44,7 @@
     "file-type-mime": "^0.4.3",
     "jdenticon": "^3.3.0",
     "kjua": "^0.10.0",
+    "jose": "^6.1.3",
     "luxon": "^3.6.1",
     "micromark": "^4.0.1",
     "normalize-url": "^8.0.2",
@@ -93,5 +94,5 @@
       "vue3-carousel": "^0.16.0"
     }
   },
-  "packageManager": "pnpm@10.15.0+sha512.486ebc259d3e999a4e8691ce03b5cac4a71cbeca39372a9b762cb500cfdf0873e2cb16abe3d951b1ee2cf012503f027b98b6584e4df22524e0c7450d9ec7aa7b"
+  "packageManager": "pnpm@10.27.0+sha512.72d699da16b1179c14ba9e64dc71c9a40988cbdc65c264cb0e489db7de917f20dcf4d64d8723625f2969ba52d4b7e2a1170682d9ac2a5dcaeaab732b7e16f04a"
 }

pnpm-workspace.yaml

@@ -9,7 +9,7 @@ onlyBuiltDependencies:
   - sharp
   - unrs-resolver
 
-overrides:
-  droplet: link:../../.local/share/pnpm/global/5/node_modules/@drop-oss/droplet
+# overrides:
+#   droplet: link:../../.local/share/pnpm/global/5/node_modules/@drop-oss/droplet
 
 shamefullyHoist: true

server/routes/auth/callback/oidc.get.ts → server/api/v1/auth/odic/callback.get.ts

@@ -1,15 +1,19 @@
 import sessionHandler from "~/server/internal/session";
 import authManager from "~/server/internal/auth";
+import type { Session } from "~/server/internal/session/types";
 
 defineRouteMeta({
   openAPI: {
-    tags: ["Auth"],
+    tags: ["Auth", "OIDC"],
     description: "OIDC Signin callback",
     parameters: [],
   },
 });
 
 export default defineEventHandler(async (h3) => {
+  // dont cache login responses
+  setHeader(h3, "Cache-Control", "no-store");
+
   const enabledAuthManagers = authManager.getAuthProviders();
   if (!enabledAuthManagers.OpenID) return sendRedirect(h3, "/auth/signin");
 
@@ -38,11 +42,20 @@ export default defineEventHandler(async (h3) => {
       statusMessage: `Failed to sign in: "${result}". Please try again.`,
     });
 
-  const sessionResult = await sessionHandler.signin(h3, result.user.id, true);
+  // Attach OIDC session data
+  const oidcData: Session["oidc"] = {
+    iss: result.claims.iss,
+  };
+  if (result.claims.sub) oidcData.sub = result.claims.sub;
+  if (result.claims.sid) oidcData.sid = result.claims.sid;
+
+  const sessionResult = await sessionHandler.signin(h3, result.user.id, {
+    rememberMe: true,
+    oidc: oidcData,
+  });
   if (sessionResult == "fail")
     throw createError({ statusCode: 500, message: "Failed to set session" });
-
-  if (sessionResult == "2fa") {
+  else if (sessionResult == "2fa") {
     return sendRedirect(
       h3,
       `/auth/mfa?redirect=${result.options.redirect ? encodeURIComponent(result.options.redirect) : "/"}`,

server/api/v1/auth/odic/logout.post.ts

@@ -0,0 +1,46 @@
+// import sessionHandler from "~/server/internal/session";
+import authManager from "~/server/internal/auth";
+
+defineRouteMeta({
+  openAPI: {
+    tags: ["Auth", "OIDC"],
+    description: "OIDC logout back-channel",
+    parameters: [],
+  },
+});
+
+export default defineEventHandler(async (h3) => {
+  // dont cache logout responses
+  setHeader(h3, "Cache-Control", "no-store");
+
+  const enabledAuthManagers = authManager.getAuthProviders();
+  if (!enabledAuthManagers.OpenID)
+    throw createError({
+      statusCode: 400,
+      message: "OIDC not enabled.",
+    });
+
+  const logout_token = (await readFormData(h3)).get("logout_token");
+  if (typeof logout_token !== "string")
+    throw createError({
+      statusCode: 400,
+      message: "Invalid OIDC logout notification.",
+    });
+  const okay = await enabledAuthManagers.OpenID.handleLogout(logout_token);
+  if (!okay) {
+    throw createError({
+      statusCode: 400,
+      message: "Invalid OIDC logout notification.",
+    });
+  }
+
+  // const result = OIDCLogoutTokenV1(logout_token);
+
+  //   const manager = enabledAuthManagers.OpenID;
+
+  //   const query = getQuery(h3);
+
+  return {
+    success: true,
+  };
+});

server/api/v1/auth/passkey/finish.post.ts

@@ -98,7 +98,9 @@ export default defineEventHandler(async (h3) => {
     },
   });
 
-  await sessionHandler.signin(h3, mfaMec.userId, true);
+  await sessionHandler.signin(h3, mfaMec.userId, {
+    rememberMe: true,
+  });
   await sessionHandler.mfa(h3, 10);
 
   return {};

server/api/v1/auth/signin/simple.post.ts

@@ -84,17 +84,16 @@ export default defineEventHandler<{
       });
 
     // TODO: send user to forgot password screen or something to force them to change their password to new system
-    const result = await sessionHandler.signin(
-      h3,
-      authMek.userId,
-      body.rememberMe,
-    );
+    const result = await sessionHandler.signin(h3, authMek.userId, {
+      rememberMe: body.rememberMe ?? false,
+    });
     if (result === "fail")
       throw createError({
         statusCode: 500,
         message: "Failed to create session",
       });
-    return { userId: authMek.userId, result };
+
+    return { result: result, userId: authMek.userId };
   }
 
   // V2: argon2
@@ -111,11 +110,9 @@ export default defineEventHandler<{
       statusMessage: t("errors.auth.invalidUserOrPass"),
     });
 
-  const result = await sessionHandler.signin(
-    h3,
-    authMek.userId,
-    body.rememberMe,
-  );
+  const result = await sessionHandler.signin(h3, authMek.userId, {
+    rememberMe: body.rememberMe ?? false,
+  });
   if (result == "fail")
     throw createError({ statusCode: 500, message: "Failed to create session" });
   return { userId: authMek.userId, result };

server/internal/auth/index.ts

@@ -14,7 +14,7 @@ class AuthManager {
   private initFuncs: {
     [K in keyof typeof this.authProviders]: () => Promise<unknown>;
   } = {
-    [AuthMec.OpenID]: OIDCManager.prototype.create,
+    [AuthMec.OpenID]: OIDCManager.create,
     [AuthMec.Simple]: async () => {
       const disabled = process.env.DISABLE_SIMPLE_AUTH as string | undefined;
       return !disabled;