1.0.2

fix: hardcoded / in logout route and not default to user injected config
2026-01-28 04:39:30 +01:00 · 2026-01-28 04:39:22 +01:00
6 changed files with 35 additions and 187 deletions
--- a/README.md
+++ b/README.md
@@ -4,97 +4,54 @@ Astro integration that injects OIDC login/callback/logout routes, a middleware t

 ## Install

-```sh
 npm install @resuely/astro-oidc-rp
-```

 ## Usage (astro.config.mjs)

-```js
 import { defineConfig } from "astro/config";
 import resuelyOidc from "@resuely/astro-oidc-rp";

 export default defineConfig({
  integrations: [
    resuelyOidc({
-      issuer: { env: "OIDC_ISSUER", fallback: "https://your-idp" },
-      clientId: { env: "OIDC_CLIENT_ID" },
-      cookie: { signingSecret: { env: "OIDC_SIGNING_SECRET" } },
+      issuer: "https://your-idp",
+      clientId: "YOUR_CLIENT_ID",
+      cookie: { signingSecret: process.env.OIDC_SIGNING_SECRET! },
      protected: ["/app/*", "/me"],
    }),
  ],
 });
-```

-Injected routes (defaults):
-
- Login: `/login`
- Callback: `/oidc/callback`
- Logout: `/logout`
- Logout callback: `/logout/callback`
+- Injected routes:
+  - Login: /login
+  - Callback: /oidc/callback
+  - Logout: /logout

 ## Options
-
-```ts
-issuer: { env: string; fallback?: string }; // required
-clientId: { env: string; fallback?: string }; // required
-scopes?: string; // default: "openid email profile"
-routes?: {
-  login?: string;
-  callback?: string;
-  logout?: string;
-  logoutCallback?: string;
-};
-redirectUri?: { mode: "infer-from-request" } | { absolute: string };
-cookie: {
-  name?: string;
-  sameSite?: "Lax" | "Strict" | "None";
-  secure?: boolean;
-  domain?: string;
-  path?: string;
-  signingSecret: { env: string };
-  maxAgeSec?: number;
-};
-protected?: string[]; // path patterns
-```
+- issuer: string (required)
+- clientId: string (required)
+- scopes?: string (default: "openid email profile")
+- routes?: { login?: string; callback?: string; logout?: string }
+- redirectUri?: { mode: "infer-from-request" } | { absolute: string }
+- cookie?: { name?: string; sameSite?: "Lax"|"Strict"|"None"; secure?: boolean; domain?: string; path?: string; signingSecret: string; maxAgeSec?: number }
+- protected?: string[] patterns

 ## Types: Astro.locals
 Enable type augmentation by referencing the package export:

-Add to your `tsconfig.json`:
+- Add to your tsconfig.json: { "compilerOptions": { "types": ["@resuely/astro-oidc-rp/astro-locals"] } }

-```json
-{
-  "compilerOptions": {
-    "types": ["@resuely/astro-oidc-rp/astro-locals"]
-  }
-}
-```
-
-Then `Astro.locals.user` is typed as:
-
-```ts
-{ sub: string; email?: string } | null | undefined
-```
+Then `locals.user` is typed as `{ sub: string; email?: string } | null | undefined`.

 ## Security notes
 - Always provide a strong `cookie.signingSecret`.
- Cookies are `Secure` by default; for local HTTP development you may need `cookie.secure: false`.
+- In production, cookies are `Secure` by default.
 - The init cookie used during login is short-lived (5 minutes) and set `HttpOnly` + `SameSite=Lax`.

 ## Build & Publish

-Build:
-
-```sh
-npm run build
-```
-
-Publish:
-
-```sh
-npm publish --access public
-```
+- Build: npm run build
+- Publish to npm: npm publish --access public

 ## License
 MIT
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,12 +1,12 @@
 {
  "name": "@resuely/astro-oidc-rp",
-  "version": "1.1.0",
+  "version": "1.0.2",
  "lockfileVersion": 3,
  "requires": true,
  "packages": {
    "": {
      "name": "@resuely/astro-oidc-rp",
-      "version": "1.1.0",
+      "version": "1.0.2",
      "license": "MIT",
      "dependencies": {
        "jose": "^5.0.0"
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
  "name": "@resuely/astro-oidc-rp",
-  "version": "1.1.0",
+  "version": "1.0.2",
  "description": "Astro integration providing OIDC relying-party routes, middleware, and types.",
  "type": "module",
  "main": "dist/index.js",
--- a/src/index.ts
+++ b/src/index.ts
@@ -14,12 +14,7 @@ export type OidcIntegrationOptions = {
  issuer: EnvString;
  clientId: EnvString;
  scopes?: string; // default "openid email profile"
-  routes?: {
-    login?: string;
-    callback?: string;
-    logout?: string;
-    logoutCallback?: string;
-  }; // defaults: /login, /oidc/callback, /logout, /logout/callback
+  routes?: { login?: string; callback?: string; logout?: string }; // defaults: /login, /oidc/callback, /logout
  redirectUri?: { mode: "infer-from-request" } | { absolute: string };
  cookie: {
    name?: string;
@@ -39,7 +34,7 @@ export type OidcInjectedOptions = {
  clientIdEnv: string;
  clientIdFallback?: string;
  scopes: string;
-  routes: { login: string; callback: string; logout: string; logoutCallback: string };
+  routes: { login: string; callback: string; logout: string };
  redirectUri: { mode: "infer-from-request" } | { absolute: string };
  cookie: {
    name: string;
@@ -64,8 +59,6 @@ function resolveOptions(user: OidcIntegrationOptions): OidcInjectedOptions {
    login: user.routes?.login ?? "/login",
    callback: user.routes?.callback ?? "/oidc/callback",
    logout: user.routes?.logout ?? "/logout",
-    logoutCallback:
-      user.routes?.logoutCallback ?? `${user.routes?.logout ?? "/logout"}/callback`,
  };
  const cookie = {
    name: user.cookie?.name ?? "oidc_session",
@@ -133,10 +126,6 @@ export default function resuelyOidc(
          pattern: resolved.routes.logout,
          entrypoint: fileURLToPath(new URL("./routes/logout.js", import.meta.url)),
        });
-        injectRoute({
-          pattern: resolved.routes.logoutCallback,
-          entrypoint: fileURLToPath(new URL("./routes/logout.js", import.meta.url)),
-        });
      },
    },
  };
--- a/src/routes/logout.ts
+++ b/src/routes/logout.ts
@@ -1,7 +1,6 @@
 import type { APIContext } from "astro";
 import { getOptions } from "../runtime.js";
-import { clearCookie, serializeCookie } from "../lib/cookies.js";
-import { generateState } from "../lib/pkce.js";
+import { clearCookie } from "../lib/cookies.js";

 async function discover(issuer: string) {
  const res = await fetch(
@@ -13,134 +12,37 @@ async function discover(issuer: string) {
  };
 }

-type LogoutCookie = {
-  state: string;
-  returnTo?: string;
-};
-
-function parseCookies(cookieHeader: string | null): Record<string, string> {
-  const out: Record<string, string> = {};
-  if (!cookieHeader) return out;
-  for (const part of cookieHeader.split(/;\s*/)) {
-    const idx = part.indexOf("=");
-    if (idx === -1) continue;
-    const name = decodeURIComponent(part.slice(0, idx));
-    const val = decodeURIComponent(part.slice(idx + 1));
-    out[name] = val;
-  }
-  return out;
-}
-
-function safeReturnTo(reqUrl: URL, returnTo: string | undefined): string {
-  if (!returnTo) return "/";
-  try {
-    const target = new URL(returnTo, reqUrl);
-    if (target.origin !== reqUrl.origin) return "/";
-    return target.toString();
-  } catch {
-    return "/";
-  }
-}
-
 function inferPostLogoutRedirectUri(
  options: ReturnType<typeof getOptions>,
  reqUrl: URL,
 ): string {
-  const u = new URL(options.routes.logoutCallback, reqUrl);
+  if ("absolute" in options.redirectUri) return options.redirectUri.absolute;
+  const u = new URL(options.routes.callback, reqUrl);
  return u.toString();
 }

-function parseLogoutCookie(raw: string): LogoutCookie | null {
-  let decoded: string;
-  try {
-    decoded = decodeURIComponent(raw);
-  } catch {
-    return null;
-  }
-
-  let parsed: unknown;
-  try {
-    parsed = JSON.parse(decoded);
-  } catch {
-    return null;
-  }
-
-  if (!parsed || typeof parsed !== "object") return null;
-  if (!("state" in parsed) || typeof parsed.state !== "string") return null;
-  const returnTo =
-    "returnTo" in parsed && typeof parsed.returnTo === "string"
-      ? parsed.returnTo
-      : undefined;
-  return { state: parsed.state, returnTo };
-}
-
 export async function GET(ctx: APIContext) {
  const options = getOptions();
  const { url } = ctx;
-
-  const isCallback = url.pathname === options.routes.logoutCallback;
-  const logoutCookieName = `${options.cookie.name}_logout`;
-
-  if (isCallback) {
-    const state = url.searchParams.get("state") || "";
-    const cookies = parseCookies(ctx.request.headers.get("cookie"));
-    const cookie = cookies[logoutCookieName];
-    const parsed = cookie ? parseLogoutCookie(cookie) : null;
-
-    const ok = parsed && parsed.state === state;
-    const location = ok ? safeReturnTo(url, parsed.returnTo) : "/";
-
-    const headers = new Headers();
-    headers.set("Location", location);
-    headers.append(
-      "Set-Cookie",
-      clearCookie(options.cookie.name, {
-        path: options.cookie.path,
-        domain: options.cookie.domain,
-      }),
-    );
-    headers.append(
-      "Set-Cookie",
-      clearCookie(logoutCookieName, {
-        path: options.cookie.path,
-        domain: options.cookie.domain,
-      }),
-    );
-
-    return new Response(null, { status: 303, headers });
-  }
-
  const disco = await discover(options.issuer);
  const endSession =
    disco.end_session_endpoint || new URL("/logout", options.issuer).toString();

-  const state = generateState();
-  const returnTo = url.searchParams.get("return_to") || undefined;
-  const cookieValue = JSON.stringify({ state, returnTo });
-  const setLogout = serializeCookie(logoutCookieName, cookieValue, {
-    path: options.cookie.path,
-    domain: options.cookie.domain,
-    sameSite: "Lax",
-    secure: options.cookie.secure,
-    httpOnly: true,
-    maxAge: 5 * 60,
-  });
-
  const postLogout = inferPostLogoutRedirectUri(options, url);
  const redirect = new URL(endSession);
  redirect.searchParams.set("client_id", options.clientId);
  redirect.searchParams.set("post_logout_redirect_uri", postLogout);
-  redirect.searchParams.set("state", state);

  const clear = clearCookie(options.cookie.name, {
    path: options.cookie.path,
    domain: options.cookie.domain,
  });

-  const headers = new Headers();
-  headers.set("Location", redirect.toString());
-  headers.append("Set-Cookie", clear);
-  headers.append("Set-Cookie", setLogout);
-
-  return new Response(null, { status: 303, headers });
+  return new Response(null, {
+    status: 303,
+    headers: {
+      Location: redirect.toString(),
+      "Set-Cookie": clear,
+    },
+  });
 }
--- a/src/runtime.ts
+++ b/src/runtime.ts
@@ -9,7 +9,7 @@ export type OidcRuntimeOptions = {
  issuer: string;
  clientId: string;
  scopes: string;
-  routes: { login: string; callback: string; logout: string; logoutCallback: string };
+  routes: { login: string; callback: string; logout: string };
  redirectUri: { mode: "infer-from-request" } | { absolute: string };
  cookie: {
    name: string;
Author	SHA1	Message	Date
Raul Lugo	31b85ba8bb	1.0.2	2026-01-28 04:39:30 +01:00
Raul Lugo	b5bc4a74bf	fix: hardcoded / in logout route and not default to user injected config	2026-01-28 04:39:22 +01:00