fix(oidc): make logout endpoint handling robust for client signout flows

accept both /.well-known/solid/logout and /.well-known/solid/logout/ in OIDC auth routes
classify both well-known logout paths as logout requests in session/origin checks
keep logout flow consistent for cookie-backed sessions used by NSS
add integration coverage for the well-known logout endpoint in OIDC authentication tests
This fixes cases where client logout changed UI state but did not reliably trigger NSS server-side signout behavior.

Author: bourgeoa

lib/api/authn/webid-oidc.mjs

@@ -102,9 +102,24 @@ export function middleware (oidc) {
   router.get('/account/password/change', restrictToTopDomain, PasswordChangeRequest.get)
   router.post('/account/password/change', restrictToTopDomain, bodyParser, PasswordChangeRequest.post)
 
-  router.get('/.well-known/solid/logout/', (req, res) => res.redirect('/logout'))
+  router.get(['/.well-known/solid/logout', '/.well-known/solid/logout/'], (req, res) => res.redirect('/logout'))
 
-  router.get('/goodbye', (req, res) => { res.render('auth/goodbye') })
+  router.get('/goodbye', (req, res, next) => {
+    if (!req.session) {
+      return res.render('auth/goodbye')
+    }
+
+    const domain = req.session.cookie && req.session.cookie.domain
+    req.session.destroy((err) => {
+      if (err) {
+        return next(err)
+      }
+
+      const cookieOptions = domain ? { domain, path: '/' } : { path: '/' }
+      res.clearCookie('nssidp.sid', cookieOptions)
+      res.render('auth/goodbye')
+    })
+  })
 
   // The relying party callback is called at the end of the OIDC signin process
   router.get('/api/oidc/rp/:issuer_id', AuthCallbackRequest.get)

lib/create-app.mjs

@@ -321,7 +321,10 @@ function initLoggers () {
 function isLogoutRequest (req) {
   // TODO: this is a hack that hard-codes OIDC paths,
   // this code should live in the OIDC module
-  return req.path === '/logout' || req.path === '/goodbye'
+  return req.path === '/logout' ||
+    req.path === '/goodbye' ||
+    req.path === '/.well-known/solid/logout' ||
+    req.path === '/.well-known/solid/logout/'
 }
 
 /**

test/integration/authentication-oidc-test.mjs

@@ -532,6 +532,41 @@ describe('Authentication API (OIDC)', () => {
 
           it('should return a 200', () => expect(response).to.have.property('status', 200))
         })
+
+        describe('after logging out', () => {
+          let logoutResponse
+
+          before(done => {
+            alice.get('/logout')
+              .set('Cookie', cookie)
+              .end((err, res) => {
+                logoutResponse = res
+                done(err)
+              })
+          })
+
+          it('should redirect to the post-logout flow', () => {
+            expect(logoutResponse).to.have.property('status', 302)
+          })
+
+          it('should invalidate the previous session cookie', (done) => {
+            alice.get('/private-for-alice.txt')
+              .set('Cookie', cookie)
+              .end((err, res) => {
+                expect(res).to.have.property('status', 401)
+                done(err)
+              })
+          })
+
+          it('should also accept the well-known logout endpoint used by solid-auth-client', (done) => {
+            alice.get('/.well-known/solid/logout')
+              .set('Cookie', cookie)
+              .end((err, res) => {
+                expect(res).to.have.property('status', 302)
+                done(err)
+              })
+          })
+        })
       })
     })
 

test/integration/formats-test.mjs

@@ -82,11 +82,13 @@ describe('formats', function () {
   })
 
   describe('turtle', function () {
-    it('should return turtle document if Accept is set to turtle', function (done) {
-      server.get('/patch-5-initial.ttl')
+    this.timeout(10000)
+
+    it('should return turtle document if Accept is set to turtle', function () {
+      return server.get('/patch-5-initial.ttl')
         .set('accept', 'text/turtle;q=0.9,application/rdf+xml;q=0.8,text/plain;q=0.7,*/*;q=0.5')
         .expect('content-type', /text\/turtle/)
-        .expect(200, done)
+        .expect(200)
     })
 
     it('should return turtle document if Accept is set to turtle', function (done) {