1.1.1

fix: safe redirect if return_to is protected after logout
1.1.0
2026-01-29 17:43:53 +01:00 · 2026-01-29 17:43:47 +01:00 · 2026-01-28 11:56:25 +01:00 · 2026-01-28 11:55:57 +01:00
9 changed files with 246 additions and 42 deletions
--- a/README.md
+++ b/README.md
@@ -4,54 +4,97 @@ Astro integration that injects OIDC login/callback/logout routes, a middleware t
 ## Install
 ```sh
 npm install @resuely/astro-oidc-rp
 ```
 ## Usage (astro.config.mjs)
 ```js
 import { defineConfig } from "astro/config";
 import resuelyOidc from "@resuely/astro-oidc-rp";
 export default defineConfig({
  integrations: [
    resuelyOidc({
-      issuer: "https://your-idp",
+      issuer: { env: "OIDC_ISSUER", fallback: "https://your-idp" },
-      clientId: "YOUR_CLIENT_ID",
+      clientId: { env: "OIDC_CLIENT_ID" },
-      cookie: { signingSecret: process.env.OIDC_SIGNING_SECRET! },
+      cookie: { signingSecret: { env: "OIDC_SIGNING_SECRET" } },
      protected: ["/app/*", "/me"],
    }),
  ],
 });
 ```
- Injected routes:
+Injected routes (defaults):
-  - Login: /login
+
-  - Callback: /oidc/callback
+- Login: `/login`
-  - Logout: /logout
+- Callback: `/oidc/callback`
 - Logout: `/logout`
 - Logout callback: `/logout/callback`
 ## Options
- issuer: string (required)
+
- clientId: string (required)
+```ts
- scopes?: string (default: "openid email profile")
+issuer: { env: string; fallback?: string }; // required
- routes?: { login?: string; callback?: string; logout?: string }
+clientId: { env: string; fallback?: string }; // required
- redirectUri?: { mode: "infer-from-request" } | { absolute: string }
+scopes?: string; // default: "openid email profile"
- cookie?: { name?: string; sameSite?: "Lax"|"Strict"|"None"; secure?: boolean; domain?: string; path?: string; signingSecret: string; maxAgeSec?: number }
+routes?: {
- protected?: string[] patterns
+  login?: string;
  callback?: string;
  logout?: string;
  logoutCallback?: string;
 };
 redirectUri?: { mode: "infer-from-request" } | { absolute: string };
 cookie: {
  name?: string;
  sameSite?: "Lax" | "Strict" | "None";
  secure?: boolean;
  domain?: string;
  path?: string;
  signingSecret: { env: string };
  maxAgeSec?: number;
 };
 protected?: string[]; // path patterns
 ```
 ## Types: Astro.locals
 Enable type augmentation by referencing the package export:
- Add to your tsconfig.json: { "compilerOptions": { "types": ["@resuely/astro-oidc-rp/astro-locals"] } }
+Add to your `tsconfig.json`:
-Then `locals.user` is typed as `{ sub: string; email?: string } | null | undefined`.
+```json
 {
  "compilerOptions": {
    "types": ["@resuely/astro-oidc-rp/astro-locals"]
  }
 }
 ```
 Then `Astro.locals.user` is typed as:
 ```ts
 { sub: string; email?: string } | null | undefined
 ```
 ## Security notes
 - Always provide a strong `cookie.signingSecret`.
- In production, cookies are `Secure` by default.
+- Cookies are `Secure` by default; for local HTTP development you may need `cookie.secure: false`.
 - The init cookie used during login is short-lived (5 minutes) and set `HttpOnly` + `SameSite=Lax`.
 ## Build & Publish
- Build: npm run build
+Build:
- Publish to npm: npm publish --access public
+
 ```sh
 npm run build
 ```
 Publish:
 ```sh
 npm publish --access public
 ```
 ## License
 MIT
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,12 +1,12 @@
 {
  "name": "@resuely/astro-oidc-rp",
-  "version": "1.0.1",
+  "version": "1.1.1",
  "lockfileVersion": 3,
  "requires": true,
  "packages": {
    "": {
      "name": "@resuely/astro-oidc-rp",
-      "version": "1.0.1",
+      "version": "1.1.1",
      "license": "MIT",
      "dependencies": {
        "jose": "^5.0.0"
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
  "name": "@resuely/astro-oidc-rp",
-  "version": "1.0.1",
+  "version": "1.1.1",
  "description": "Astro integration providing OIDC relying-party routes, middleware, and types.",
  "type": "module",
  "main": "dist/index.js",
--- a/src/index.ts
+++ b/src/index.ts
@@ -14,7 +14,12 @@ export type OidcIntegrationOptions = {
  issuer: EnvString;
  clientId: EnvString;
  scopes?: string; // default "openid email profile"
-  routes?: { login?: string; callback?: string; logout?: string }; // defaults: /login, /oidc/callback, /logout
+  routes?: {
    login?: string;
    callback?: string;
    logout?: string;
    logoutCallback?: string;
  }; // defaults: /login, /oidc/callback, /logout, /logout/callback
  redirectUri?: { mode: "infer-from-request" } | { absolute: string };
  cookie: {
    name?: string;
@@ -34,7 +39,7 @@ export type OidcInjectedOptions = {
  clientIdEnv: string;
  clientIdFallback?: string;
  scopes: string;
-  routes: { login: string; callback: string; logout: string };
+  routes: { login: string; callback: string; logout: string; logoutCallback: string };
  redirectUri: { mode: "infer-from-request" } | { absolute: string };
  cookie: {
    name: string;
@@ -59,6 +64,8 @@ function resolveOptions(user: OidcIntegrationOptions): OidcInjectedOptions {
    login: user.routes?.login ?? "/login",
    callback: user.routes?.callback ?? "/oidc/callback",
    logout: user.routes?.logout ?? "/logout",
    logoutCallback:
      user.routes?.logoutCallback ?? `${user.routes?.logout ?? "/logout"}/callback`,
  };
  const cookie = {
    name: user.cookie?.name ?? "oidc_session",
@@ -126,6 +133,10 @@ export default function resuelyOidc(
          pattern: resolved.routes.logout,
          entrypoint: fileURLToPath(new URL("./routes/logout.js", import.meta.url)),
        });
        injectRoute({
          pattern: resolved.routes.logoutCallback,
          entrypoint: fileURLToPath(new URL("./routes/logout.js", import.meta.url)),
        });
      },
    },
  };
--- a/src/middleware.ts
+++ b/src/middleware.ts
@@ -21,6 +21,11 @@ function escapeRegex(str: string): string {
 }
 function globToRegExp(pattern: string): RegExp {
  if (pattern.endsWith("/*")) {
    const base = pattern.slice(0, -2);
    const baseEscaped = escapeRegex(base);
    return new RegExp(`^${baseEscaped}(?:/.*)?$`);
  }
  const escaped = pattern.split("*").map(escapeRegex).join(".*");
  return new RegExp(`^${escaped}$`);
 }
@@ -38,12 +43,17 @@ export const onRequest: MiddlewareHandler = async (context, next) => {
  locals.user = null;
  if (token) {
-    const res = await verifyAndDecode<{ sub: string; email?: string }>(
+    const res = await verifyAndDecode<{
-      token,
+      sub: string;
-      options.cookie.signingSecret,
+      email?: string;
-    );
+      firstName?: string;
    }>(token, options.cookie.signingSecret);
    if (res.valid && res.payload && typeof res.payload.sub === "string") {
-      locals.user = { sub: res.payload.sub, email: res.payload.email };
+      locals.user = {
        sub: res.payload.sub,
        email: res.payload.email,
        firstName: res.payload.firstName,
      };
    }
  }
--- a/src/routes/callback.ts
+++ b/src/routes/callback.ts
@@ -127,9 +127,13 @@ export async function GET(ctx: APIContext) {
    audience: options.clientId,
  });
  const givenName =
    typeof payload["given_name"] === "string" ? payload["given_name"] : undefined;
  const session = {
    sub: String(payload.sub),
    email: typeof payload.email === "string" ? payload.email : undefined,
    firstName: givenName,
  };
  const signed = await signPayload(session, options.cookie.signingSecret);
--- a/src/routes/logout.ts
+++ b/src/routes/logout.ts
@@ -1,6 +1,7 @@
 import type { APIContext } from "astro";
 import { getOptions } from "../runtime.js";
-import { clearCookie } from "../lib/cookies.js";
+import { clearCookie, serializeCookie } from "../lib/cookies.js";
 import { generateState } from "../lib/pkce.js";
 async function discover(issuer: string) {
  const res = await fetch(
@@ -12,38 +13,173 @@ async function discover(issuer: string) {
  };
 }
 type LogoutCookie = {
  state: string;
  returnTo?: string;
 };
 function parseCookies(cookieHeader: string | null): Record<string, string> {
  const out: Record<string, string> = {};
  if (!cookieHeader) return out;
  for (const part of cookieHeader.split(/;\s*/)) {
    const idx = part.indexOf("=");
    if (idx === -1) continue;
    const name = decodeURIComponent(part.slice(0, idx));
    const val = decodeURIComponent(part.slice(idx + 1));
    out[name] = val;
  }
  return out;
 }
 function safeReturnTo(reqUrl: URL, returnTo: string | undefined): string {
  if (!returnTo) return "/";
  try {
    const target = new URL(returnTo, reqUrl);
    if (target.origin !== reqUrl.origin) return "/";
    return target.toString();
  } catch {
    return "/";
  }
 }
 function escapeRegex(str: string): string {
  return str.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
 }
 function globToRegExp(pattern: string): RegExp {
  if (pattern.endsWith("/*")) {
    const base = pattern.slice(0, -2);
    const baseEscaped = escapeRegex(base);
    return new RegExp(`^${baseEscaped}(?:/.*)?$`);
  }
  const escaped = pattern.split("*").map(escapeRegex).join(".*");
  return new RegExp(`^${escaped}$`);
 }
 function isProtected(pathname: string, patterns: string[]): boolean {
  return patterns.some((p) => globToRegExp(p).test(pathname));
 }
 function finalizePostLogoutReturnTo(
  options: ReturnType<typeof getOptions>,
  reqUrl: URL,
  returnTo: string | undefined,
 ): string {
  const safe = safeReturnTo(reqUrl, returnTo);
  try {
    const u = new URL(safe, reqUrl);
    if (isProtected(u.pathname, options.protected)) return new URL("/", reqUrl).toString();
    return u.toString();
  } catch {
    return new URL("/", reqUrl).toString();
  }
 }
 function inferPostLogoutRedirectUri(
  options: ReturnType<typeof getOptions>,
  reqUrl: URL,
 ): string {
-  if ("absolute" in options.redirectUri) return options.redirectUri.absolute;
+  const u = new URL(options.routes.logoutCallback, reqUrl);
  // Default to site root
  const u = new URL("/", reqUrl);
  return u.toString();
 }
 function parseLogoutCookie(raw: string): LogoutCookie | null {
  let decoded: string;
  try {
    decoded = decodeURIComponent(raw);
  } catch {
    return null;
  }
  let parsed: unknown;
  try {
    parsed = JSON.parse(decoded);
  } catch {
    return null;
  }
  if (!parsed || typeof parsed !== "object") return null;
  if (!("state" in parsed) || typeof parsed.state !== "string") return null;
  const returnTo =
    "returnTo" in parsed && typeof parsed.returnTo === "string"
      ? parsed.returnTo
      : undefined;
  return { state: parsed.state, returnTo };
 }
 export async function GET(ctx: APIContext) {
  const options = getOptions();
  const { url } = ctx;
  const isCallback = url.pathname === options.routes.logoutCallback;
  const logoutCookieName = `${options.cookie.name}_logout`;
  if (isCallback) {
    const state = url.searchParams.get("state") || "";
    const cookies = parseCookies(ctx.request.headers.get("cookie"));
    const cookie = cookies[logoutCookieName];
    const parsed = cookie ? parseLogoutCookie(cookie) : null;
    const ok = parsed && parsed.state === state;
    const location = ok
      ? finalizePostLogoutReturnTo(options, url, parsed.returnTo)
      : "/";
    const headers = new Headers();
    headers.set("Location", location);
    headers.append(
      "Set-Cookie",
      clearCookie(options.cookie.name, {
        path: options.cookie.path,
        domain: options.cookie.domain,
      }),
    );
    headers.append(
      "Set-Cookie",
      clearCookie(logoutCookieName, {
        path: options.cookie.path,
        domain: options.cookie.domain,
      }),
    );
    return new Response(null, { status: 303, headers });
  }
  const disco = await discover(options.issuer);
  const endSession =
    disco.end_session_endpoint || new URL("/logout", options.issuer).toString();
  const state = generateState();
  const returnTo = finalizePostLogoutReturnTo(
    options,
    url,
    url.searchParams.get("return_to") || undefined,
  );
  const cookieValue = JSON.stringify({ state, returnTo });
  const setLogout = serializeCookie(logoutCookieName, cookieValue, {
    path: options.cookie.path,
    domain: options.cookie.domain,
    sameSite: "Lax",
    secure: options.cookie.secure,
    httpOnly: true,
    maxAge: 5 * 60,
  });
  const postLogout = inferPostLogoutRedirectUri(options, url);
  const redirect = new URL(endSession);
  redirect.searchParams.set("client_id", options.clientId);
  redirect.searchParams.set("post_logout_redirect_uri", postLogout);
  redirect.searchParams.set("state", state);
  const clear = clearCookie(options.cookie.name, {
    path: options.cookie.path,
    domain: options.cookie.domain,
  });
-  return new Response(null, {
+  const headers = new Headers();
-    status: 303,
+  headers.set("Location", redirect.toString());
-    headers: {
+  headers.append("Set-Cookie", clear);
-      Location: redirect.toString(),
+  headers.append("Set-Cookie", setLogout);
-      "Set-Cookie": clear,
+
-    },
+  return new Response(null, { status: 303, headers });
  });
 }
--- a/src/runtime.ts
+++ b/src/runtime.ts
@@ -9,7 +9,7 @@ export type OidcRuntimeOptions = {
  issuer: string;
  clientId: string;
  scopes: string;
-  routes: { login: string; callback: string; logout: string };
+  routes: { login: string; callback: string; logout: string; logoutCallback: string };
  redirectUri: { mode: "infer-from-request" } | { absolute: string };
  cookie: {
    name: string;
--- a/types/astro.locals.d.ts
+++ b/types/astro.locals.d.ts
@@ -1,7 +1,7 @@
 declare global {
  namespace App {
    interface Locals {
-      user?: { sub: string; email?: string } | null;
+      user?: { sub: string; email?: string; firstName?: string } | null;
    }
  }
 }
Author	SHA1	Message	Date
Raul Lugo	04f00993db	1.1.1	2026-01-29 17:43:53 +01:00
Raul Lugo	81239dc6ab	fix: safe redirect if return_to is protected after logout	2026-01-29 17:43:47 +01:00
Raul Lugo	7aa0d63cc6	1.1.0	2026-01-28 11:56:25 +01:00
Raul Lugo	eceee79d0b	feat: logout callback with 'take me to I was' functionality	2026-01-28 11:55:57 +01:00