feat: revoke consent by session id. trigger back channel logout.

ory · Mar 16, 2022 · 220a774 · 220a774
1 parent 1726b54
commit 220a774
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 7 deletions.
diff --git a/consent/handler.go b/consent/handler.go
@@ -135,14 +135,26 @@ func (h *Handler) DeleteConsentSession(w http.ResponseWriter, r *http.Request, p
 			}
 		}
 	case allClients:
-		if triggerBackChannelLogout == "true" {
-			if err := h.r.ConsentStrategy().ExecuteBackChannelLogoutBySubject(r.Context(), r, subject); err != nil {
-				h.r.Logger().WithError(err).Warn("Unable to execute back channel logout")
+		if len(loginSessionId) > 0 {
+			if triggerBackChannelLogout == "true" {
+				if err := h.r.ConsentStrategy().ExecuteBackChannelLogoutBySession(r.Context(), r, subject, loginSessionId); err != nil {
+					h.r.Logger().WithError(err).Warn("Unable to execute back channel logout")
+				}
+			}
+			if err := h.r.ConsentManager().RevokeLoginSessionConsentSession(r.Context(), loginSessionId); err != nil && !errors.Is(err, x.ErrNotFound) {
+				h.r.Writer().WriteError(w, r, err)
+				return
+			}
+		} else {
+			if triggerBackChannelLogout == "true" {
+				if err := h.r.ConsentStrategy().ExecuteBackChannelLogoutBySubject(r.Context(), r, subject); err != nil {
+					h.r.Logger().WithError(err).Warn("Unable to execute back channel logout")
+				}
+			}
+			if err := h.r.ConsentManager().RevokeSubjectConsentSession(r.Context(), subject); err != nil && !errors.Is(err, x.ErrNotFound) {
+				h.r.Writer().WriteError(w, r, err)
+				return
 			}
-		}
-		if err := h.r.ConsentManager().RevokeSubjectConsentSession(r.Context(), subject); err != nil && !errors.Is(err, x.ErrNotFound) {
-			h.r.Writer().WriteError(w, r, err)
-			return
 		}
 	default:
 		h.r.Writer().WriteError(w, r, errorsx.WithStack(fosite.ErrInvalidRequest.WithHint(`Query parameter both 'client' and 'all' is not defined but one of them should have been.`)))

diff --git a/consent/manager.go b/consent/manager.go
@@ -42,6 +42,7 @@ type Manager interface {
 	GetConsentRequest(ctx context.Context, challenge string) (*ConsentRequest, error)
 	HandleConsentRequest(ctx context.Context, challenge string, r *HandledConsentRequest) (*ConsentRequest, error)
 	RevokeSubjectConsentSession(ctx context.Context, user string) error
+	RevokeLoginSessionConsentSession(ctx context.Context, loginSessionId string) error
 	RevokeSubjectClientConsentSession(ctx context.Context, user, client string) error
 	RevokeSubjectClientLoginSessionConsentSession(ctx context.Context, user, client, loginSessionId string) error
 

diff --git a/persistence/sql/persister_consent.go b/persistence/sql/persister_consent.go
@@ -28,6 +28,10 @@ func (p *Persister) RevokeSubjectConsentSession(ctx context.Context, user string
 	return p.transaction(ctx, p.revokeConsentSession("r.subject = ?", user))
 }
 
+func (p *Persister) RevokeLoginSessionConsentSession(ctx context.Context, loginSessionId string) error {
+	return p.transaction(ctx, p.revokeConsentSession("r.login_session_id = ?", loginSessionId))
+}
+
 func (p *Persister) RevokeSubjectClientConsentSession(ctx context.Context, user, client string) error {
 	return p.transaction(ctx, p.revokeConsentSession("r.subject = ? AND r.client_id = ?", user, client))
 }