feat: enhance authentication flow and session management

- Added frontend URL to OIDC configuration for improved redirect handling.
- Updated session management to pass token expiration to the set_session function.
- Modified logout endpoint to return a logout URL for Keycloak, enhancing user experience.
- Adjusted CORS settings to restrict allowed origins for better security.

Author: atyrode

src/backend/config.py

@@ -17,7 +17,8 @@
     'client_secret': os.getenv('OIDC_CLIENT_SECRET'),
     'server_url': os.getenv('OIDC_SERVER_URL'),
     'realm': os.getenv('OIDC_REALM'),
-    'redirect_uri': os.getenv('REDIRECT_URI')
+    'redirect_uri': os.getenv('REDIRECT_URI'),
+    'frontend_url': os.getenv('FRONTEND_URL')
 }
 
 # Redis connection
@@ -36,8 +37,8 @@ def get_session(session_id: str) -> Optional[Dict[str, Any]]:
         return json.loads(session_data)
     return None
 
-def set_session(session_id: str, data: Dict[str, Any], expiry: int = 86400) -> None:
-    """Store session data in Redis with expiry in seconds (default 24 hours)"""
+def set_session(session_id: str, data: Dict[str, Any], expiry: int) -> None:
+    """Store session data in Redis with expiry in seconds"""
     redis_client.setex(
         f"session:{session_id}", 
         expiry,
@@ -56,7 +57,8 @@ def get_auth_url() -> str:
     params = {
         'client_id': OIDC_CONFIG['client_id'],
         'response_type': 'code',
-        'redirect_uri': OIDC_CONFIG['redirect_uri']
+        'redirect_uri': OIDC_CONFIG['redirect_uri'],
+        'scope': 'openid profile email'
     }
     return f"{auth_url}?{'&'.join(f'{k}={v}' for k,v in params.items())}"
 
@@ -126,7 +128,8 @@ async def refresh_token(session_id: str, token_data: Dict[str, Any]) -> Tuple[bo
             new_token_data = refresh_response.json()
 
             # Update session with new tokens
-            set_session(session_id, new_token_data)
+            expiry = new_token_data['expires_in']
+            set_session(session_id, new_token_data, expiry)
 
             return True, new_token_data
     except Exception as e:

src/backend/main.py

@@ -37,7 +37,7 @@ async def lifespan(_: FastAPI):
 # CORS middleware setup
 app.add_middleware(
     CORSMiddleware,
-    allow_origins=["*"],
+    allow_origins=["https://kc.pad.ws", "https://alex.pad.ws"],
     allow_credentials=True,
     allow_methods=["*"],
     allow_headers=["*"],

src/backend/routers/auth.py

@@ -2,10 +2,10 @@
 import jwt
 import httpx
 from fastapi import APIRouter, Request, HTTPException, Depends
-from fastapi.responses import RedirectResponse, FileResponse
+from fastapi.responses import RedirectResponse, FileResponse, JSONResponse
 import os
 
-from config import get_auth_url, get_token_url, OIDC_CONFIG, set_session, delete_session, STATIC_DIR
+from config import get_auth_url, get_token_url, OIDC_CONFIG, set_session, delete_session, STATIC_DIR, get_session
 from dependencies import SessionData, require_auth
 from coder import CoderAPI
 
@@ -72,24 +72,26 @@ async def callback(request: Request, code: str, state: str = "default"):
         return FileResponse(os.path.join(STATIC_DIR, "auth/popup-close.html"))
     else:
         return RedirectResponse('/')
-
+    
 @auth_router.get("/logout")
 async def logout(request: Request):
     session_id = request.cookies.get('session_id')
-    if session_id:
-        delete_session(session_id)
 
-    # Create a response that doesn't redirect but still clears the cookie
-    from fastapi.responses import JSONResponse
-    response = JSONResponse({"status": "success", "message": "Logged out successfully"})
+    session_data = get_session(session_id)
+    if not session_data:
+        return RedirectResponse('/')
+    
+    id_token = session_data.get('id_token', '')
+    
+    # Delete the session from Redis
+    delete_session(session_id)
+    
+    # Create the Keycloak logout URL with redirect back to our app
+    logout_url = f"{OIDC_CONFIG['server_url']}/realms/{OIDC_CONFIG['realm']}/protocol/openid-connect/logout"
+    redirect_uri = OIDC_CONFIG['frontend_url']  # Match the frontend redirect URI
+    full_logout_url = f"{logout_url}?id_token_hint={id_token}&post_logout_redirect_uri={redirect_uri}"
 
-    # Clear the session_id cookie with all necessary parameters
-    response.delete_cookie(
-        key="session_id",
-        path="/",
-        domain=None,  # Use None to match the current domain
-        secure=request.url.scheme == "https",
-        httponly=True
-    )
+    # Create a redirect response to Keycloak's logout endpoint
+    response = JSONResponse({"status": "success", "logout_url": full_logout_url})
 
     return response

src/frontend/src/ui/MainMenu.tsx

@@ -286,11 +286,13 @@ export const MainMenuConfig: React.FC<MainMenuConfigProps> = ({
             capture('logout_clicked');
 
             try {
-              // Call the logout endpoint but don't follow the redirect
-              await fetch('/auth/logout', { 
+              // Call the logout endpoint and get the session_id
+              const response = await fetch('/auth/logout', { 
                 method: 'GET',
                 credentials: 'include' 
               });
+              const data = await response.json();
+              const logoutUrl = data.logout_url;
 
               // Clear the session_id cookie client-side
               document.cookie = "session_id=; expires=Thu, 01 Jan 1970 00:00:00 UTC; path=/;";
@@ -299,6 +301,9 @@ export const MainMenuConfig: React.FC<MainMenuConfigProps> = ({
               queryClient.invalidateQueries({ queryKey: ['auth'] });
               queryClient.invalidateQueries({ queryKey: ['userProfile'] });
 
+              // Redirect to the logout URL
+              window.location.replace(logoutUrl);
+
               console.log("Logged out successfully");
             } catch (error) {
               console.error("Logout failed:", error);