Implement logout in js

Author: blacelle

js/e2e-tests/fake-player.mjs

@@ -7,7 +7,7 @@ export default {
 
         return response;
     },
-    
+
     async showLoginOptions(page) {
         await page.getByRole("link", { name: /You need to login/ }).click();
     },

js/e2e-tests/localhost-login-dev.spec.js

@@ -11,12 +11,12 @@ const url = "http://localhost:8080";
 //});
 
 // We just check the login page is working OK
-test('showLoginOptions', async ({ page }) => {
+test("showLoginOptions", async ({ page }) => {
     await page.goto(url);
     await fakePlayer.showLoginOptions(page);
 });
 
-test('login', async ({ page }) => {
+test("login", async ({ page }) => {
     await page.goto(url);
     await fakePlayer.login(page);
 });

js/src/main/resources/static/index.html

@@ -101,7 +101,12 @@
                     component: KumiteBoard,
                     props: true,
                 },
-                { path: "/html/login", component: LoginChecker },
+                {
+                    path: "/html/login",
+                    component: LoginChecker,
+                    // https://stackoverflow.com/questions/44783787/bind-query-to-props-with-vue-router
+                    // props: route => Object.assign({}, route.query, route.params)
+                },
                 { path: "/html/about", component: AboutView },
             ];
 

js/src/main/resources/static/ui/js/login-checker.js

@@ -1,13 +1,23 @@
+import { ref, watch } from "vue";
+
 import { mapState } from "pinia";
 import { useKumiteStore } from "./store.js";
 
+import { useRouter } from "vue-router";
+
 import LoginOptions from "./login-providers.js";
 
 export default {
 	// https://vuejs.org/guide/components/registration#local-registration
 	components: {
 		LoginOptions,
 	},
+	props: {
+		logout: {
+			type: String,
+			required: false,
+		},
+	},
 	computed: {
 		...mapState(useKumiteStore, ["nbAccountFetching", "account", "needsToLogin"]),
 		...mapState(useKumiteStore, {
@@ -16,12 +26,82 @@ export default {
 			},
 		}),
 	},
-	setup() {
+	setup(props) {
 		const store = useKumiteStore();
+		const router = useRouter();
 
 		store.loadUser();
 
-		return {};
+		const csrfToken = ref({});
+		const fetchCsrfToken = async function () {
+			try {
+				const response = await fetch(`/api/login/v1/csrf`);
+				if (!response.ok) {
+					throw new Error("Rejected request for logout");
+				}
+
+				const json = await response.json();
+				const csrfHeader = json.header;
+				console.log("csrf header", csrfHeader);
+
+				const freshCrsfToken = response.headers.get(csrfHeader);
+				if (!freshCrsfToken) {
+					throw new Error("Invalid csrfToken");
+				}
+				console.debug("csrf", freshCrsfToken);
+
+				csrfToken.value = { header: csrfHeader, token: freshCrsfToken };
+			} catch (e) {
+				console.error("Issue on Network: ", e);
+			}
+		};
+
+		const doLogout = function () {
+			console.info("Logout");
+			async function fetchFromUrl(url) {
+				// https://www.baeldung.com/spring-security-csrf
+				// If we relied on Cookie, `.csrfTokenRepository(CookieServerCsrfTokenRepository.withHttpOnlyFalse())` we could get the csrfToken with:
+				// const csrfToken = document.cookie.replace(/(?:(?:^|.*;\s*)XSRF-TOKEN\s*\=\s*([^;]*).*$)|^.*$/, '$1');
+
+				// https://stackoverflow.com/questions/60265617/how-do-you-include-a-csrf-token-in-a-vue-js-application-with-a-spring-boot-backe
+				const headers = { [csrfToken.value.header]: csrfToken.value.token };
+
+				try {
+					const response = await fetch(url, {
+						method: "POST",
+						headers: headers,
+
+						// https://stackoverflow.com/questions/39735496/redirect-after-a-fetch-post-call
+						// https://github.com/whatwg/fetch/issues/601#issuecomment-502667208
+						redirect: "follow",
+					});
+					if (!response.ok) {
+						throw new Error("Rejected request for logout");
+					}
+
+					const json = await response.json();
+
+					// We we can not intercept 3XX to extract the Location header, we introduced an API providing the Location as body of a 2XX.
+					const logoutHtmlRoute = json["Location"];
+
+					console.info("Redirect to logout route", logoutHtmlRoute);
+
+					router.push(logoutHtmlRoute);
+
+					// We force reloading the page to take in account the removed SESSION
+					// There should be a cleaner way to do it, without full-reload
+					router.go(0);
+				} catch (e) {
+					console.error("Issue on Network: ", e);
+				}
+			}
+
+			fetchCsrfToken().then(() => {
+				fetchFromUrl(`/logout`);
+			});
+		};
+
+		return { doLogout };
 	},
 	template: /* HTML */ `
         <div v-if="needsToLogin">
@@ -30,6 +110,10 @@ export default {
                 <LoginOptions />
             </div>
         </div>
-        <div v-else>Welcome {{user.raw.name}}. ?Logout?</div>
+        <div v-else>
+            Welcome {{user.raw.name}}.
+
+            <button class="btn btn-danger" @click="doLogout">Logout</button>
+        </div>
     `,
 };

js/src/main/resources/static/ui/js/store.js

@@ -35,7 +35,7 @@ export const useKumiteStore = defineStore("kumite", {
 		nbBoardFetching: 0,
 
 		// Currently connected account
-		account: { raw: {}},
+		account: { raw: {} },
 		tokens: {},
 		// Initially, we assume we are logged-in as we may have a session cookie
 		// May be turned to true by 401 on `loadUser()`
@@ -54,7 +54,7 @@ export const useKumiteStore = defineStore("kumite", {
 		nbBoardOperating: 0,
 	}),
 	getters: {
-        isLoggedIn: (store) => Object.keys(store.account.raw).length > 0,
+		isLoggedIn: (store) => Object.keys(store.account.raw).length > 0,
 		// There will be a way to choose a different playerId amongst the account playerIds
 		playingPlayerId: (store) => store.account.playerId,
 		// Default headers: we authenticate ourselves
@@ -212,7 +212,7 @@ export const useKumiteStore = defineStore("kumite", {
 				}
 			}
 
-			return this.ensureUser().then(user => {
+			return this.ensureUser().then((user) => {
 				console.log("We do have a User. Let's fetch tokens", user);
 				return fetchFromUrl(`/api/login/v1/oauth2/token?player_id=${this.playingPlayerId}`);
 			});

player/src/main/resources/application.yml

@@ -1,4 +1,6 @@
 spring:
+    main:
+        banner-mode: "off"
     application.name: kumite-player
     # https://stackoverflow.com/questions/26105061/spring-boot-without-the-web-server
     main.web-application-type: NONE

server/pom.xml

@@ -113,6 +113,13 @@
 			<groupId>org.springframework.boot</groupId>
 			<artifactId>spring-boot-starter-test</artifactId>
 			<scope>test</scope>
+			<exclusions>
+				<exclusion>
+					<!-- https://github.com/skyscreamer/JSONassert/pull/194 -->
+					<groupId>com.vaadin.external.google</groupId>
+					<artifactId>android-json</artifactId>
+				</exclusion>
+			</exclusions>
 		</dependency>
 		<dependency>
 			<groupId>io.projectreactor</groupId>

server/src/main/java/eu/solven/kumite/account/login/SocialWebFluxSecurity.java

@@ -1,5 +1,7 @@
 package eu.solven.kumite.account.login;
 
+import java.net.URI;
+
 import org.springframework.boot.autoconfigure.web.ServerProperties;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Import;
@@ -15,6 +17,8 @@
 import org.springframework.security.oauth2.server.resource.web.server.BearerTokenServerAuthenticationEntryPoint;
 import org.springframework.security.web.server.SecurityWebFilterChain;
 import org.springframework.security.web.server.authentication.RedirectServerAuthenticationSuccessHandler;
+import org.springframework.security.web.server.authentication.logout.RedirectServerLogoutSuccessHandler;
+import org.springframework.security.web.server.csrf.WebSessionServerCsrfTokenRepository;
 import org.springframework.security.web.server.util.matcher.ServerWebExchangeMatchers;
 
 import com.nimbusds.jwt.JWT;
@@ -56,6 +60,10 @@ public SecurityWebFilterChain configureUi(ServerProperties serverProperties,
 						// provider
 						"/api/login/v1/**",
 						"/oauth2/**",
+
+						// The logout route (do a POST to logout, i.e. clear the session)
+						"/logout",
+
 						// Holds static resources (e.g. `/ui/js/store.js`)
 						"/ui/js/**",
 						"/ui/img/**",
@@ -69,6 +77,17 @@ public SecurityWebFilterChain configureUi(ServerProperties serverProperties,
 						"/swagger-ui.html",
 						"/swagger-ui/**",
 						"/webjars/**"))
+
+				.csrf(csrf -> {
+					csrf
+							// https://docs.spring.io/spring-security/reference/reactive/exploits/csrf.html#webflux-csrf-configure-custom-repository
+							// .csrfTokenRepository(CookieServerCsrfTokenRepository.withHttpOnlyFalse())
+
+							// This will NOT provide the CSRF as a header: `X-CSRF-TOKEN`
+							// But it wlll help making it available on `/api/login/v1/csrf`
+							.csrfTokenRepository(new WebSessionServerCsrfTokenRepository());
+				})
+
 				.authorizeExchange(auth -> auth
 
 						// Login does not requires being loggged-in yet
@@ -78,9 +97,11 @@ public SecurityWebFilterChain configureUi(ServerProperties serverProperties,
 						// Swagger UI
 						.pathMatchers("/swagger-ui.html", "/swagger-ui/**")
 						.permitAll()
-						// The route used by the SPA
+
+						// The route used by the SPA: they all serve index.html
 						.pathMatchers("/", "/html/**")
 						.permitAll()
+
 						// Webjars and static resources
 						.pathMatchers("/ui/js/**", "/ui/img/**", "/webjars/**", "/favicon.ico")
 						.permitAll()
@@ -90,7 +111,9 @@ public SecurityWebFilterChain configureUi(ServerProperties serverProperties,
 						.pathMatchers("/api/login/v1/user",
 								"/api/login/v1/oauth2/token",
 								"/api/login/v1/html",
-								"/api/login/v1/providers")
+								"/api/login/v1/providers",
+								"/api/login/v1/csrf",
+								"/api/login/v1/logout")
 						.permitAll()
 
 						// The rest needs to be authenticated
@@ -99,7 +122,7 @@ public SecurityWebFilterChain configureUi(ServerProperties serverProperties,
 
 				// `/html/login` has to be synced with the SPA login route
 				.formLogin(login -> {
-					String loginPage = ("http%s://localhost:8080" + "/html/login").formatted(isSsl ? "s" : "");
+					String loginPage = "/html/login".formatted(isSsl ? "s" : "");
 					login.loginPage(loginPage)
 							// Required not to get an NPE at `.build()`
 							.authenticationManager(ram);
@@ -108,11 +131,17 @@ public SecurityWebFilterChain configureUi(ServerProperties serverProperties,
 				// https://docs.spring.io/spring-security/reference/servlet/oauth2/client/authorization-grants.html
 				// https://stackoverflow.com/questions/74242738/how-to-logout-from-oauth-signed-in-web-app-with-github
 				.oauth2Login(oauth2 -> {
-					String loginSuccess =
-							("http%s://localhost:8080" + "/html/login?success").formatted(isSsl ? "s" : "");
+					String loginSuccess = "/html/login?success".formatted(isSsl ? "s" : "");
 					oauth2.authenticationSuccessHandler(new RedirectServerAuthenticationSuccessHandler(loginSuccess));
 				})
 
+				.logout(logout -> {
+					RedirectServerLogoutSuccessHandler logoutSuccessHandler = new RedirectServerLogoutSuccessHandler();
+					// We need to redirect to a 2XX URL, and not a 3XX URL, as Fetch API can not intercept redirections.
+					logoutSuccessHandler.setLogoutSuccessUrl(URI.create("/api/login/v1/logout"));
+					logout.logoutSuccessHandler(logoutSuccessHandler);
+				})
+
 				.build();
 	}
 

server/src/main/java/eu/solven/kumite/app/controllers/KumiteLoginController.java

@@ -19,11 +19,13 @@
 import org.springframework.security.oauth2.client.registration.InMemoryReactiveClientRegistrationRepository;
 import org.springframework.security.oauth2.core.AuthorizationGrantType;
 import org.springframework.security.oauth2.core.user.OAuth2User;
+import org.springframework.security.web.server.csrf.CsrfToken;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.RestController;
+import org.springframework.web.server.ServerWebExchange;
 
 import eu.solven.kumite.account.KumiteUser;
 import eu.solven.kumite.account.KumiteUserRawRaw;
@@ -177,4 +179,28 @@ void checkValidPlayerId(KumiteUser user, UUID playerId) {
 		}
 	}
 
+	// It seems much easier to return the CSRF through a dedicated API, than through Cookies and Headers, as SpringBoot
+	// seems to require advanced tweaking to get it populated automatically
+	// https://docs.spring.io/spring-security/reference/reactive/exploits/csrf.html#webflux-csrf-configure-custom-repository
+	@GetMapping("/csrf")
+	public Mono<ResponseEntity<?>> csrf(ServerWebExchange exchange) {
+		Mono<CsrfToken> csrfToken = exchange.getAttribute(CsrfToken.class.getName());
+		if (csrfToken == null) {
+			throw new IllegalStateException("No csrfToken is available");
+		}
+
+		return csrfToken.map(csrf -> ResponseEntity.ok()
+				.header(csrf.getHeaderName(), csrf.getToken())
+				.body(Map.of("header", csrf.getHeaderName())));
+	}
+
+	/**
+	 * @return the logout URL as a 2XX code, as 3XX can not be intercepted with Fetch API.
+	 * @see https://github.com/whatwg/fetch/issues/601#issuecomment-502667208
+	 */
+	@GetMapping("/logout")
+	public Map<String, String> loginpage() {
+		return Map.of(HttpHeaders.LOCATION, "/html/login?logout");
+	}
+
 }

server/src/main/resources/application.yml

@@ -1,4 +1,7 @@
 spring:
+    application.name: kumite-contests
+    main:
+        banner-mode: "off"
     profiles:
         # Do not add any default `include`, else `default` would never kicks in
         group:
@@ -25,8 +28,6 @@ spring:
                 - default_server
             unsafe_external_oauth2:
                 - default_server
-    main:
-        banner-mode: "off"
 
 logging:
     level: