Update logout url logic #1148
Update logout url logic #1148
Conversation
Co-authored-by: contact <[email protected]>
|
Cursor Agent can help with this pull request. Just |
| redirect_uri: &str, | ||
| site_prefix: &str, | ||
| client_secret: &str, | ||
| user_id: Option<&str>, |
There was a problem hiding this comment.
@cursoragent the user id should be mandatory
| user_id: Option<&str>, | ||
| ) -> String { | ||
| let timestamp = chrono::Utc::now().timestamp(); | ||
| let signature = compute_logout_signature(redirect_uri, timestamp, client_secret); |
There was a problem hiding this comment.
@cursoragent the user id should be part of the signed message
There was a problem hiding this comment.
Good catch — right now the HMAC only covers redirect_uri and timestamp, so the user_id we append wouldn’t be protected. I’ll update compute_logout_signature (and verify_logout_params) to append the user_id bytes into the MAC input, make the query parameter required whenever we have a logged-in user, and adjust the tests accordingly so the entire logout URL (including the user id) is signed and validated.
Learn more about Cursor Agents
Include the OIDC user ID in logout URLs for authenticated users and fall back to the redirect URL for anonymous users to provide a meaningful destination.