vikunja/pkg/webtests
kolaente 970f3c3733 fix(auth): build OIDC end-session URL with id_token_hint and post_logout_redirect_uri
On OIDC logout Vikunja redirected to the configured `logouturl` with no query
parameters, so it never sent `id_token_hint` or `post_logout_redirect_uri`.
RP-Initiated-Logout-compliant providers (e.g. PocketID) then ignored the
post-logout redirect and left the user on the IdP's own login page.

This builds the end-session URL server-side from the OpenID Connect
RP-Initiated Logout 1.0 spec:

- id_token_hint (§2, RECOMMENDED): the ID token previously issued to the
  session. It lets the OP skip the logout-confirmation prompt and is what makes
  the OP honor post_logout_redirect_uri (the OP MAY require it, §3).
- post_logout_redirect_uri (§2, OPTIONAL): where the OP redirects after logout.
  MUST be pre-registered with the OP. Defaults to service.publicurl so the user
  lands back on Vikunja.
- client_id (§2, OPTIONAL): the RP client id; the OP verifies it matches the
  id_token_hint.

The end_session_endpoint is discovered from the provider's discovery document
(§2.1, REQUIRED metadata) and falls back to the static `logouturl` config when
the provider does not publish one.

To replay id_token_hint, the raw ID token (and the provider key) are persisted
on the session at the OIDC callback (new migration adds oidc_id_token /
oidc_provider_key columns to the sessions table). At logout the server reads
them, builds the URL, deletes the session, and returns the URL in the logout
response so the frontend redirects to it.

Security note: the raw ID token is stored at rest in the sessions table
(json:"-", never exposed over the API) and removed when the session is deleted
on logout.

Spec: OpenID Connect RP-Initiated Logout 1.0
https://openid.net/specs/openid-connect-rpinitiated-1_0.html

Fixes #2820
2026-06-19 16:06:26 +02:00
..
_test.go.tpl chore: rename API test suites (#938) 2025-06-13 08:23:17 +00:00
admin_share_bypass_test.go test(admin): add webtests for /admin/* endpoints and share bypass 2026-04-20 18:55:06 +00:00
admin_test.go test(admin): add webtests for /admin/* endpoints and share bypass 2026-04-20 18:55:06 +00:00
api_token_method_matching_test.go fix(security): enforce HTTP method and path in scoped API token matcher 2026-04-09 15:17:20 +00:00
api_tokens_test.go test: verify caldav permission group appears in /routes 2026-03-30 12:09:53 +00:00
archived_test.go fix(project): remove non-existent columns from UpdateProject column list 2026-04-03 16:59:05 +00:00
background_test.go test: verify background removal preserves project title 2026-04-08 09:07:15 +00:00
caldav_test.go fix(caldav): return 404 when trying to access a project that cannot exist with CalDAV (#2796) 2026-05-28 08:14:52 +02:00
error_responses_test.go feat: add session-based auth with refresh token rotation 2026-02-25 10:30:25 +01:00
healthcheck_test.go feat: introduce shared health check logic (#1073) 2025-07-02 21:01:41 +00:00
huma_admin_actions_test.go feat(api/v2): add admin actions on /api/v2 2026-06-11 19:32:42 +00:00
huma_admin_test.go test(api/v2): port full v1 admin projects coverage 2026-06-03 19:48:08 +00:00
huma_api_token_test.go feat(api/v2): add API token list/create/delete on /api/v2 2026-06-05 08:49:23 +00:00
huma_archived_test.go test(api/v2): isolate project tests per-handler, not via shared harness 2026-06-05 07:40:07 +00:00
huma_auth_login_test.go fix(auth): build OIDC end-session URL with id_token_hint and post_logout_redirect_uri 2026-06-19 16:06:26 +02:00
huma_auth_refresh_test.go feat(api/v2): port refresh-token endpoint to /api/v2 2026-06-17 20:34:38 +00:00
huma_auth_test.go test(api/v2): cover ported auth/token endpoints 2026-06-12 07:58:17 +00:00
huma_avatar_test.go test(api/v2): port full v1 avatar coverage to TestAvatar 2026-06-03 19:58:27 +00:00
huma_avatar_upload_test.go fix(api/v2): reject non-decodable images (e.g. SVG) on avatar upload with 400 2026-06-02 11:55:25 +00:00
huma_background_download_test.go test(api/v2): cover background download and unsplash proxy routes 2026-06-17 11:31:50 +00:00
huma_background_test.go test(api/v2): split the B1 webtests into per-route files 2026-06-11 20:07:43 +00:00
huma_background_upload_test.go feat(api/v2): add project background upload on /api/v2 2026-06-12 08:47:08 +00:00
huma_bot_user_test.go feat(api/v2): add bot user CRUD on /api/v2 2026-06-05 08:51:39 +00:00
huma_bulk_task_test.go feat(api/v2): add bulk task updates on /api/v2 2026-06-09 20:13:02 +00:00
huma_caldav_token_test.go feat(api/v2): add CalDAV tokens on /api/v2 2026-06-10 17:55:52 +00:00
huma_errors_test.go test(api/v2): Label round-trip, ETag, PATCH, error shapes 2026-05-31 12:56:57 +00:00
huma_helpers_test.go test(api/v2): Label round-trip, ETag, PATCH, error shapes 2026-05-31 12:56:57 +00:00
huma_info_test.go test(api/v2): split the B1 webtests into per-route files 2026-06-11 20:07:43 +00:00
huma_label_task_bulk_test.go feat(api/v2): add bulk label replacement on /api/v2 2026-06-10 11:56:05 +02:00
huma_label_task_test.go feat(api/v2): add task labels (create/list/delete) on /api/v2 2026-06-05 08:33:47 +00:00
huma_label_test.go feat(labels): let bot owners manage labels created by their bots 2026-06-09 11:40:04 +00:00
huma_link_sharing_test.go fix(link-sharing): resolve share read permission via project id so by-id reads work 2026-06-05 09:17:25 +00:00
huma_migration_csv_test.go test(api/v2): cover the v2 file and CSV migrator endpoints 2026-06-12 08:51:19 +00:00
huma_migration_file_test.go test(api/v2): cover the v2 file and CSV migrator endpoints 2026-06-12 08:51:19 +00:00
huma_migration_oauth_test.go feat(api/v2): port OAuth migrators (Todoist, Trello, Microsoft To-Do) 2026-06-11 18:35:55 +00:00
huma_non_crud_aliases_test.go feat(api/v2): expose websocket endpoint under /api/v2 2026-06-17 20:35:28 +00:00
huma_notification_test.go fix(api/v2): return 200 from notifications mark-all (creates nothing) 2026-06-07 10:05:24 +00:00
huma_project_duplicate_test.go feat(api/v2): add project duplication on /api/v2 2026-06-09 20:11:43 +00:00
huma_project_team_test.go feat(api/v2): add project team shares CRUD on /api/v2 2026-06-07 15:33:20 +00:00
huma_project_test.go test(api/v2): cover central validation (422, invalid_fields, full-body webhook updates) 2026-06-06 21:09:56 +00:00
huma_project_user_test.go feat(api/v2): add project user shares CRUD on /api/v2 2026-06-07 10:37:59 +00:00
huma_project_view_test.go feat(api/v2): report max_permission on label and project-view reads 2026-06-04 21:16:51 +00:00
huma_reaction_test.go feat(api/v2): add reactions on /api/v2 2026-06-09 21:34:22 +00:00
huma_saved_filter_test.go feat(api/v2): add saved filter CRUD on /api/v2 2026-06-07 10:40:20 +00:00
huma_session_test.go feat(api/v2): add session list/delete on /api/v2 2026-06-05 08:21:48 +00:00
huma_subscription_test.go docs: trim wordy comments to load-bearing whys 2026-06-07 09:57:51 +00:00
huma_task_assignee_bulk_test.go feat(api/v2): add bulk assignee replacement on /api/v2 2026-06-09 19:42:16 +00:00
huma_task_assignee_test.go feat(api/v2): add task assignees (create/list/delete) on /api/v2 2026-06-06 19:06:12 +00:00
huma_task_attachment_test.go feat(api/v2): add task attachments on /api/v2 2026-06-10 10:22:39 +00:00
huma_task_bucket_test.go feat(api/v2): add kanban task-bucket moves on /api/v2 2026-06-09 20:01:20 +00:00
huma_task_collection_test.go feat(api/v2): add task collection (task lists) on /api/v2 2026-06-11 18:31:03 +00:00
huma_task_comment_test.go test(api/v2): assert task comment max_permission and per-caller ETag 2026-06-05 07:43:38 +00:00
huma_task_duplicate_test.go test(api/v2): port full v1 TaskDuplicate coverage 2026-06-03 20:29:15 +00:00
huma_task_position_test.go feat(api/v2): add task position updates on /api/v2 2026-06-10 11:55:51 +02:00
huma_task_relation_test.go feat(api/v2): add task relations on /api/v2 2026-06-09 20:42:00 +00:00
huma_task_test.go fix(api/v2): return ErrProjectDoesNotExist for unknown project identifiers 2026-06-10 10:12:09 +00:00
huma_task_unread_status_test.go feat(api/v2): add task read-status marking on /api/v2 2026-06-09 19:50:58 +00:00
huma_team_member_test.go feat(api/v2): add team members (add/remove/admin-toggle) on /api/v2 2026-06-07 10:48:23 +00:00
huma_team_test.go test(api/v2): assert both ETags non-empty in team permission test 2026-06-05 08:06:54 +00:00
huma_testing_test.go test(api/v2): use cross-engine datetime literals in testing webtest 2026-06-17 12:13:50 +00:00
huma_time_entry_test.go test(time-tracking): cover the v2 time-entry routes 2026-06-08 13:54:09 +00:00
huma_user_deletion_test.go feat(api/v2): add user account-deletion flow on /api/v2 2026-06-10 19:15:05 +00:00
huma_user_export_test.go fix(files): never cache file downloads in v1 or v2 2026-06-17 18:39:38 +00:00
huma_user_search_test.go test(api/v2): split the B1 webtests into per-route files 2026-06-11 20:07:43 +00:00
huma_user_settings_test.go feat(api/v2): add user account/settings on /api/v2 2026-06-11 07:02:31 +00:00
huma_user_totp_test.go feat(api/v2): add totp qr code endpoint 2026-06-17 18:39:38 +00:00
huma_user_webhook_test.go feat(api/v2): add user webhooks on /api/v2 2026-06-10 19:12:41 +00:00
huma_webhook_event_test.go test(api/v2): split the B1 webtests into per-route files 2026-06-11 20:07:43 +00:00
huma_webhook_test.go test(api/v2): cover central validation (422, invalid_fields, full-body webhook updates) 2026-06-06 21:09:56 +00:00
integrations.go test(api/v2): isolate project tests per-handler, not via shared harness 2026-06-05 07:40:07 +00:00
kanban_test.go refactor: centralize HTTP error handling (#2062) 2026-01-08 10:02:59 +00:00
label_task_test.go test: add web tests for bulk label task endpoint 2026-03-10 23:58:44 +01:00
link_share_avatar_test.go feat!: rename right to permission (#1277) 2025-08-13 11:05:05 +02:00
link_sharing_auth_test.go chore: rename API test suites (#938) 2025-06-13 08:23:17 +00:00
link_sharing_test.go test(security): webtest that a deleted link share rejects its still-valid JWT 2026-04-09 15:38:07 +00:00
login_test.go fix(auth): return ErrAccountLocked for locked accounts on login 2026-06-17 19:43:41 +00:00
main_test.go refactor: use Go idioms for running tests 2026-02-17 18:01:05 +01:00
oauth2_test.go test: add tests for OAuth 2.0 authorization flow 2026-03-27 23:05:04 +00:00
project_test.go fix(security): move reparent Admin gate into UpdateProject 2026-04-09 16:47:35 +00:00
register_test.go chore: rename API test suites (#938) 2025-06-13 08:23:17 +00:00
sessions_test.go test: add session lifecycle tests 2026-02-25 10:30:25 +01:00
task_attachment_idor_test.go test: add IDOR test for task attachment ReadOne (GHSA-jfmm-mjcp-8wq2) 2026-03-23 16:34:07 +00:00
task_attachment_upload_test.go feat: add session-based auth with refresh token rotation 2026-02-25 10:30:25 +01:00
task_by_index_test.go test(api): cover positive project-identifier resolution 2026-05-19 08:53:25 +00:00
task_collection_test.go feat(projects): always store identifiers as uppercase (#2775) 2026-05-19 10:35:43 +02:00
task_comment_test.go fix: use require.Error instead of assert.Error for error assertions 2026-03-20 11:41:28 +00:00
task_test.go fix(assignees): resolve 500 error when reading task assignees 2026-05-26 18:59:33 +00:00
token_test.go chore: rename API test suites (#938) 2025-06-13 08:23:17 +00:00
user_change_password_test.go test(api): add tests for password validation in reset and update flows 2026-02-25 13:44:56 +01:00
user_confirm_email_test.go refactor: centralize HTTP error handling (#2062) 2026-01-08 10:02:59 +00:00
user_export_download_test.go refactor: centralize HTTP error handling (#2062) 2026-01-08 10:02:59 +00:00
user_export_status_test.go feat: show user export status in settings (#1200) 2025-07-30 15:50:26 +00:00
user_password_request_token_test.go refactor: centralize HTTP error handling (#2062) 2026-01-08 10:02:59 +00:00
user_password_reset_test.go test: add web test for disabled user password reset rejection 2026-03-20 11:23:21 +00:00
user_project_test.go test: verify email masking for external team name search 2026-03-04 20:32:11 +01:00
user_show_test.go chore: rename API test suites (#938) 2025-06-13 08:23:17 +00:00
user_totp_test.go fix: update TOTP fixtures and tests to avoid conflicts with existing enrollment tests 2026-03-20 12:22:27 +00:00
webhook_test.go test: add failing test for webhook BasicAuth credential exposure 2026-03-23 16:35:47 +00:00