FIX: Do not start the login flow when logging out from SSO/Authenticator (#8423)

This affects login_required sites which use SSO or have only one authenticator enabled. Previously, logging out would redirect to the homepage, which would then redirect to the identity provider. Now, users will be redirected to the Discourse login page. This avoids the confusing situation where a user appears to remain logged in after clicking logout. Sites which have explicitly defined a logout_redirect url are not affected by this change. For context, see https://meta.discourse.org/t/134138/2
2024-11-27 17:13:39 +08:00 · 2019-11-27 11:41:07 +00:00 · 2019-11-27 11:41:07 +00:00 · 1a6bbfd10b
commit 1a6bbfd10b
parent 13a0da8c39
1 changed files with 17 additions and 3 deletions
--- a/app/assets/javascripts/discourse/lib/logout.js.es6
+++ b/app/assets/javascripts/discourse/lib/logout.js.es6
@ -1,4 +1,6 @@
 import { isEmpty } from "@ember/utils";
+import { findAll } from "discourse/models/login-method";
+
 export default function logout(siteSettings, keyValueStore) {
  if (!siteSettings || !keyValueStore) {
    const container = Discourse.__container__;
@ -9,9 +11,21 @@ export default function logout(siteSettings, keyValueStore) {
  keyValueStore.abandonLocal();

  const redirect = siteSettings.logout_redirect;
-  if (isEmpty(redirect)) {
-    window.location = Discourse.getURL("/");
-  } else {
+  if (!isEmpty(redirect)) {
    window.location.href = redirect;
+    return;
  }
+
+  const sso = siteSettings.enable_sso;
+  const oneAuthenticator =
+    !siteSettings.enable_local_logins && findAll().length === 1;
+
+  if (siteSettings.login_required && (sso || oneAuthenticator)) {
+    // In this situation visiting most URLs will start the auth process again
+    // Go to the `/login` page to avoid an immediate redirect
+    window.location.href = Discourse.getURL("/login");
+    return;
+  }
+
+  window.location.href = Discourse.getURL("/");
 }