Caddy module to require at-proto authentication and restrict routes to DIDs
fix: revoke session credential on logout
author
Will Garrison
date
(Mar 7, 2026, 11:19 PM -0800)
commit
9bcf6e32
9bcf6e32b878107e8ed47b0398ef0bace0b6948f
parent
cea1699e
cea1699ed50e6ef8ca576c4f35652bae478ec142
+44
+11
gate.go
+11
gate.go
···
160
160
return json.NewEncoder(w).Encode(meta)
161
161
}
162
162
if r.URL.Path == "/logout" {
163
+
// Invalidate credential if session exists
164
+
sess, err := g.sessions.VerifyCookie(r)
165
+
if err == nil || err == session.ErrExpired {
166
+
if g.oauth != nil {
167
+
// Standalone mode: we can logout directly
168
+
if err := g.oauth.Logout(r.Context(), sess.DID); err != nil {
169
+
g.logger.Error("failed to revoke session during logout", zap.Error(err))
170
+
}
171
+
}
172
+
}
173
+
163
174
// Clear session cookie
164
175
http.SetCookie(w, g.sessions.ClearCookie(g.Domain))
165
176
http.Redirect(w, r, "/login", http.StatusFound)
+25
internal/oauth/manager.go
+25
internal/oauth/manager.go
···
120
120
return m.App.ResumeSession(ctx, did, latestSessionData.SessionID)
121
121
}
122
122
123
+
// Logout revokes the session for the given DID
124
+
func (m *Manager) Logout(ctx context.Context, didStr string) error {
125
+
did, err := syntax.ParseDID(didStr)
126
+
if err != nil {
127
+
return fmt.Errorf("invalid DID: %w", err)
128
+
}
129
+
130
+
// We assume the most recent session is the one to revoke
131
+
store, ok := m.App.Store.(*db.Store)
132
+
if !ok {
133
+
return fmt.Errorf("store is not of expected type")
134
+
}
135
+
136
+
latestSessionData, err := store.GetLatestSession(ctx, did)
137
+
if err != nil {
138
+
return fmt.Errorf("failed to get latest session: %w", err)
139
+
}
140
+
if latestSessionData == nil {
141
+
// No session found, so already logged out effectively
142
+
return nil
143
+
}
144
+
145
+
return m.App.Logout(ctx, did, latestSessionData.SessionID)
146
+
}
147
+
123
148
// ProcessCallback exchanges the authorization code for an access token
124
149
func (m *Manager) ProcessCallback(ctx context.Context, query url.Values) (*indigoOauth.ClientSessionData, string, error) {
125
150
sess, err := m.App.ProcessCallback(ctx, query)
+8
portal.go
+8
portal.go
···
237
237
238
238
// 5. Logout
239
239
if r.URL.Path == "/logout" {
240
+
// Invalidate credential if session exists
241
+
sess, err := p.sessions.VerifyCookie(r)
242
+
if err == nil || err == session.ErrExpired {
243
+
if err := p.oauth.Logout(r.Context(), sess.DID); err != nil {
244
+
p.logger.Error("failed to revoke session during logout", zap.Error(err))
245
+
}
246
+
}
247
+
240
248
http.SetCookie(w, p.sessions.ClearCookie(p.Domain))
241
249
http.Redirect(w, r, "/login", http.StatusFound)
242
250
return nil