jennie/ghostguild-org
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
ghostguild-org/server
History
Jennie Robinson Faber 39eb9e039a
Some checks failed
Test / vitest (push) Failing after 6m9s
Details
Test / playwright (push) Has been skipped
Details
Test / visual (push) Has been skipped
Details
Test / Notify on failure (push) Successful in 2s
Details
fix(auth): auto-submit OIDC logout form to eliminate xsrf desync 
Users clicking sign-out in the wiki were getting 'xsrf token invalid'.
The old logoutSource extracted the xsrf from oidc-provider's form into
a separate short-lived cookie and bounced through /auth/logout-confirm,
but that dance kept desyncing — the xsrf on the eventual submit didn't
always match the session state on /oidc/session/end/confirm.

Drop the custom confirmation page and auto-submit oidc-provider's own
form inline from logoutSource. The xsrf stays inside the original form
HTML the provider generated, so the validation is guaranteed to match.
Clicking sign-out in the wiki is already confirmation enough.

Also clear the Ghost Guild auth-token cookie in postLogoutSuccessSource
so signing out of the wiki fully signs the user out rather than leaving
a stale ghostguild.org session behind.
2026-04-15 18:26:51 +01:00
..
api Updates 2026-04-15 17:45:09 +01:00
config Lots of UI fixes 2025-10-08 19:02:24 +01:00
emails Refactor email templates to use plain text format and update sender addresses 2026-03-05 18:40:37 +00:00
middleware fix: use private helcimApiToken for all server-side Helcim API calls 2026-04-04 13:37:34 +01:00
migrations refactor(community): rename Community Connections → Community Ecology 2026-04-09 09:07:15 +01:00
models Updates 2026-04-15 17:45:09 +01:00
plugins Member/Ecology revamp. 2026-04-14 09:25:09 +01:00
routes fix(auth): survive missing OIDC interaction cookie on magic-link click 2026-04-15 18:18:33 +01:00
utils fix(auth): auto-submit OIDC logout form to eliminate xsrf desync 2026-04-15 18:26:51 +01:00