From 1e5c4df163bb14f29b835435fb62ada26eb6dd1c Mon Sep 17 00:00:00 2001
From: David Mosbach <mosbach@cip.ifi.lmu.de>
Date: Sun, 10 Mar 2024 19:43:54 +0000
Subject: [PATCH] chore(auth): fix single sign out redirect route

---
 .../categories/authorization/de-de-formal.msg      |  1 +
 .../uniworx/categories/authorization/en-eu.msg     |  1 +
 routes                                             |  3 ++-
 src/Auth/OAuth2.hs                                 |  1 +
 src/Foundation/Navigation.hs                       |  1 +
 src/Handler/SingleSignOut.hs                       | 14 +++++++++++---
 6 files changed, 17 insertions(+), 4 deletions(-)

diff --git a/messages/uniworx/categories/authorization/de-de-formal.msg b/messages/uniworx/categories/authorization/de-de-formal.msg
index 4c0773001..667051a51 100644
--- a/messages/uniworx/categories/authorization/de-de-formal.msg
+++ b/messages/uniworx/categories/authorization/de-de-formal.msg
@@ -140,4 +140,5 @@ FormHoneypotComment: Kommentar
 FormHoneypotCommentPlaceholder: Kommentar
 FormHoneypotFilled: Bitte füllen Sie keines der verstecken Felder aus
 
+Logout: Abmeldung
 SingleSignOut: Abmeldung bei Azure
diff --git a/messages/uniworx/categories/authorization/en-eu.msg b/messages/uniworx/categories/authorization/en-eu.msg
index 7dc17b924..f31413299 100644
--- a/messages/uniworx/categories/authorization/en-eu.msg
+++ b/messages/uniworx/categories/authorization/en-eu.msg
@@ -141,4 +141,5 @@ FormHoneypotComment: Comment
 FormHoneypotCommentPlaceholder: Comment
 FormHoneypotFilled: Please do not fill in any of the hidden fields
 
+Logout: Logout
 SingleSignOut: Azure logout
diff --git a/routes b/routes
index e42a707e5..13f6914f9 100644
--- a/routes
+++ b/routes
@@ -46,7 +46,8 @@
 /static StaticR EmbeddedStatic appStatic                      !free
 /auth   AuthR   Auth   getAuth                                !free
 
-/ssout SSOutR  GET !free -- single sign-out (OIDC)
+/logout       SOutR  GET !free
+/logout/ssout SSOutR GET !free -- single sign-out (OIDC)
 
 /metrics     MetricsR GET																			!free -- verify if this can be free
 
diff --git a/src/Auth/OAuth2.hs b/src/Auth/OAuth2.hs
index c85af461b..5ed9921e2 100644
--- a/src/Auth/OAuth2.hs
+++ b/src/Auth/OAuth2.hs
@@ -167,5 +167,6 @@ singleSignOut mRedirect = do
       endpoint = case mRedirect of
         Just r -> base <> "?post_logout_redirect_uri=" <> r
         Nothing -> base
+  $logErrorS "\n\27[31mSSO\27[0m" endpoint 
   redirect endpoint
 
diff --git a/src/Foundation/Navigation.hs b/src/Foundation/Navigation.hs
index c0a642a2e..b37d51416 100644
--- a/src/Foundation/Navigation.hs
+++ b/src/Foundation/Navigation.hs
@@ -73,6 +73,7 @@ breadcrumb :: ( BearerAuthSite UniWorX
            => Route UniWorX
            -> m Breadcrumb
 breadcrumb (AuthR _)        = i18nCrumb MsgMenuLogin         $ Just NewsR
+breadcrumb SOutR            = i18nCrumb MsgLogout              Nothing
 breadcrumb SSOutR           = i18nCrumb MsgSingleSignOut       Nothing
 breadcrumb (StaticR _)      = i18nCrumb MsgBreadcrumbStatic    Nothing
 breadcrumb (WellKnownR _)   = i18nCrumb MsgBreadcrumbWellKnown Nothing
diff --git a/src/Handler/SingleSignOut.hs b/src/Handler/SingleSignOut.hs
index 44ec813a2..8b89a19d0 100644
--- a/src/Handler/SingleSignOut.hs
+++ b/src/Handler/SingleSignOut.hs
@@ -3,7 +3,8 @@
 -- SPDX-License-Identifier: AGPL-3.0-or-later
 
 module Handler.SingleSignOut
-  ( getSSOutR
+  ( getSOutR
+  , getSSOutR
   ) where
 
 import Import
@@ -11,13 +12,20 @@ import Auth.OAuth2 (singleSignOut)
 import qualified Network.Wai as W
 
 
+getSOutR :: Handler Html
+getSOutR = do
+  $logErrorS "\27[31mSOut\27[0m" "Redirect to LogoutR"
+  redirect $ AuthR LogoutR
+
 getSSOutR :: Handler Html
 getSSOutR = do
   app <- getYesod
-  let logoutR = intercalate "/" . fst . renderRoute $ AuthR LogoutR
+  let redir = intercalate "/" . fst . renderRoute $ SOutR
       root = case approot of
         ApprootRequest f -> f app W.defaultRequest
         _ -> error "approt implementation changed"
+      url = decodeUtf8 . urlEncode True . encodeUtf8 $ root <> "/" <> redir
   AppSettings{..} <- getsYesod appSettings'
-  if appSingleSignOn then singleSignOut (Just $ root <> "/" <> logoutR) else redirect (AuthR LogoutR)
+  $logErrorS "\27[31mSSOut\27[0m" "Redirect to auth server"
+  if appSingleSignOn then singleSignOut (Just url) else redirect (AuthR LogoutR)