jennie/ghostguild-org
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix(auth): rewire OIDC logout/error flow through Nuxt pages
Some checks failed
Test / playwright (push) Blocked by required conditions
Details
Test / Notify on failure (push) Blocked by required conditions
Details
Test / visual (push) Blocked by required conditions
Details
Test / vitest (push) Has been cancelled
Details

Browse source 
Migrate three render callbacks in oidc-provider (logoutSource,
postLogoutSuccessSource, renderError) from the baked guildPageShell
helper to Nuxt pages under app/pages/auth/, so they go through the
font module and design system instead of a shadow copy.

- Delete guildPageShell (~103 lines of shadow design system).
- Add /auth/logout-success, /auth/oidc-error, /auth/logout-confirm
  pages built on dashed-box + btn + main.css tokens.
- renderError now allow-lists error + error_description into query
  params and lets Vue default interpolation escape them, closing an
  XSS where OIDC error fields were concatenated into raw HTML.
- logoutSource extracts the xsrf from oidc-provider's stable form
  output, sets it as an httpOnly 2-minute cookie, and redirects to
  /auth/logout-confirm. The confirm page reads the cookie during SSR,
  persists the value to useState, and clears the cookie so it's
  strictly one-time use. Defensive fallback keeps the raw auto-submit
  form if oidc-provider ever changes its form format.
- Fix form actions emitting http:// in production at the root cause:
  oidc-provider extends Koa but calls super() with no args, so
  app.proxy defaults to false and ctx.protocol ignores
  X-Forwarded-Proto. Set _provider.proxy = true after construction;
  remove the bogus proxy:true config key (silently ignored) and the
  form.replace('http://', 'https://') symptom patch. Make the
  x-forwarded-proto override in the catchall conditional on
  production + missing header (was unconditional + dead code).
- Add site-wide .btn:focus-visible rule in main.css for WCAG 2.4.7.

Verified in browser: Brygada 1918 loads on all three pages, contrast
ratios pass AA in dark + light, XSS payload escapes to text nodes
only, Set-Cookie: Max-Age=0 enforces one-time xsrf use, no
horizontal overflow at 500px, no console errors.
This commit is contained in:
Jennie Robinson Faber 2026-04-11 23:21:46 +01:00
parent 98d3610a08
commit de3bcc479a
6 changed files with 367 additions and 143 deletions
Download patch file Download diff file Expand all files Collapse all files

13
server/routes/oidc/[...].ts
View file

@ -17,8 +17,17 @@ export default defineEventHandler(async (event) => {
// The provider's routes config includes the /oidc prefix,
// so pass the full path through without stripping.
// Traefik terminates TLS — tell the provider we're on https
req.headers["x-forwarded-proto"] = "https";
// In production, Traefik sets X-Forwarded-Proto: https. Keep a defensive
// assignment only if the header isn't already present, and never in dev
// (where forcing https would make oidc-provider emit https://localhost URLs
// that the browser can't reach). The provider has app.proxy = true, so it
// honors whatever value is in this header.
if (
process.env.NODE_ENV === "production" &&
!req.headers["x-forwarded-proto"]
) {
req.headers["x-forwarded-proto"] = "https";
}
// Hand off to oidc-provider's Connect-style callback
const callback = provider.callback() as Function;