Clean token on logout

OCA · Nov 17, 2024 · 6d6d0c4 · 6d6d0c4
1 parent 89df146
commit 6d6d0c4
Show file tree

Hide file tree

Showing 2 changed files with 50 additions and 1 deletion.
diff --git a/auth_saml/controllers/main.py b/auth_saml/controllers/main.py
@@ -24,7 +24,8 @@
 from odoo.http import request
 from odoo.tools.misc import clean_context
 
-from odoo.addons.web.controllers.home import Home
+from odoo.addons.web.controllers.home import Session
+from odoo.addons.web.controllers.session import Session
 from odoo.addons.web.controllers.utils import _get_login_redirect_url, ensure_db
 
 _logger = logging.getLogger(__name__)
@@ -173,6 +174,7 @@ def _get_saml_extra_relaystate(self):
         }
         return state
 
+
     @http.route("/auth_saml/get_auth_request", type="http", auth="none")
     def get_auth_request(self, pid):
         provider_id = int(pid)
@@ -297,3 +299,18 @@ def saml_metadata(self, **kw):
                 ),
                 [("Content-Type", "text/xml")],
             )
+
+class SessionSAML(Session):
+
+    @http.route('/web/session/logout', type='http', auth='none', readonly=True)
+    def logout(self, redirect='/odoo'):
+        saml_user = request.env["res.users.saml"].sudo().search(
+            [
+                ("user_id", "=", request.env.user.id),
+                ("saml_access_token", "!=", False),
+            ]
+        )
+        if saml_user:
+            _logger.info("Delete saml token")
+            saml_user.saml_access_token = False
+        return super().logout(redirect=redirect)
diff --git a/auth_saml/models/auth_saml_provider.py b/auth_saml/models/auth_saml_provider.py
@@ -276,6 +276,38 @@ def _get_auth_request(self, extra_state=None, url_root=None):
         self._store_outstanding_request(reqid)
 
         return redirect_url
+
+    def _logout(self, saml_user, redirect, url_root=None):
+        """
+        build a logout request and give it back to our client
+        """
+        state = {
+            "d": self.env.cr.dbname,
+            "p": self.id,
+        }
+
+        sig_alg = ds.SIG_RSA_SHA1
+        if self.sig_alg:
+            sig_alg = getattr(ds, self.sig_alg)
+
+        saml_client = self._get_client_for_provider(url_root)
+        reqid, info = saml_client.prepare_for_logout(
+            sign=self.sign_authenticate_requests,
+            relay_state=json.dumps(state),
+            sigalg=sig_alg,
+        )
+
+        redirect_url = None
+        # Select the IdP URL to send the AuthN request to
+        for key, value in info["headers"]:
+            if key == "Location":
+                redirect_url = value
+
+        self._store_outstanding_request(reqid)
+
+        saml_user.saml_access_token = None
+
+        return redirect_url
 
     def _validate_auth_response(self, token: str, base_url: str = None):
         """return the validation data corresponding to the access token"""