From 86f5abf9dafdd292ad24f6ec38b08084b203c87b Mon Sep 17 00:00:00 2001
From: Adam Mcgrath <adam.mcgrath@auth0.com>
Date: Thu, 2 Nov 2023 14:04:41 +0000
Subject: [PATCH] Honor params passed to logout over defaults (#533)

---
 lib/context.js       |  4 ++--
 test/logout.tests.js | 49 +++++++++++++++++++++++++++++++++++++++++++-
 2 files changed, 50 insertions(+), 3 deletions(-)

diff --git a/lib/context.js b/lib/context.js
index 05b8154..a872b6c 100644
--- a/lib/context.js
+++ b/lib/context.js
@@ -324,9 +324,9 @@ class ResponseContext {
 
       returnURL = client.endSessionUrl({
         ...config.logoutParams,
-        ...params.logoutParams,
-        post_logout_redirect_uri: returnURL,
         id_token_hint,
+        post_logout_redirect_uri: returnURL,
+        ...params.logoutParams,
       });
     } catch (err) {
       return next(err);
diff --git a/test/logout.tests.js b/test/logout.tests.js
index 21bfe36..37abe2c 100644
--- a/test/logout.tests.js
+++ b/test/logout.tests.js
@@ -95,7 +95,7 @@ describe('logout route', async () => {
     assert.include(
       response.headers,
       {
-        location: `https://op.example.com/session/end?post_logout_redirect_uri=http%3A%2F%2Fexample.org&id_token_hint=${idToken}`,
+        location: `https://op.example.com/session/end?id_token_hint=${idToken}&post_logout_redirect_uri=http%3A%2F%2Fexample.org`,
       },
       'should redirect to the identity provider'
     );
@@ -297,6 +297,53 @@ describe('logout route', async () => {
     assert.equal(url.hostname, 'foo.com');
   });
 
+  it('should honor logout url arguments over logout params', async () => {
+    const router = auth({
+      ...defaultConfig,
+      idpLogout: true,
+      routes: { logout: false },
+    });
+    server = await createServer(router);
+    router.get('/logout', (req, res) =>
+      res.oidc.logout({
+        logoutParams: { post_logout_redirect_uri: 'http://bar.com' },
+      })
+    );
+
+    const { jar } = await login();
+    const {
+      response: {
+        headers: { location },
+      },
+    } = await logout(jar);
+    const url = new URL(
+      new URL(location).searchParams.get('post_logout_redirect_uri')
+    );
+    assert.equal(url.hostname, 'bar.com');
+  });
+
+  it('should honor logout id_token_hint arguments over default', async () => {
+    const router = auth({
+      ...defaultConfig,
+      idpLogout: true,
+      routes: { logout: false },
+    });
+    server = await createServer(router);
+    router.get('/logout', (req, res) =>
+      res.oidc.logout({
+        logoutParams: { id_token_hint: null },
+      })
+    );
+
+    const { jar } = await login();
+    const {
+      response: {
+        headers: { location },
+      },
+    } = await logout(jar);
+    assert.notOk(new URL(location).searchParams.get('id_token_hint'));
+  });
+
   it('should ignore undefined or null logout params', async () => {
     server = await createServer(
       auth({