Implemented universal logout

2025-08-30 23:38:13 +02:00 · 2025-07-22 13:14:06 +02:00
parent 22ff2dc1f3
commit 4b9e7dd3b7
70 changed files with 522 additions and 72 deletions
--- a/roles/web-svc-logout/templates/docker-compose.yml.j2
+++ b/roles/web-svc-logout/templates/docker-compose.yml.j2
@@ -0,0 +1,14 @@
+{% include 'roles/docker-compose/templates/base.yml.j2' %}
+  logout:
+    {% include 'roles/docker-container/templates/base.yml.j2' %}
+    build:
+      context: {{ docker_repository_path }}
+      dockerfile: Dockerfile
+    image: logout
+    container_name: logout
+    ports:
+      - 127.0.0.1:{{ports.localhost.http[application_id]}}:{{ container_port }}
+{% include 'roles/docker-container/templates/networks.yml.j2' %}
+{% include 'roles/docker-container/templates/healthcheck/tcp.yml.j2' %}
+
+{% include 'roles/docker-compose/templates/networks.yml.j2' %}
--- a/roles/web-svc-logout/templates/env.j2
+++ b/roles/web-svc-logout/templates/env.j2
@@ -0,0 +1,14 @@
+# Comma‑separated list of all subdomains to log out (no spaces)
+LOGOUT_DOMAINS={{ logout_domains }}
+
+# Port the logout service will listen on inside the container
+LOGOUT_PORT={{ container_port }}
+
+# (Optional) If you’re using docker‑compose, you can also define:
+#HOST_LOGOUT_PORT=8080
+#HOST_NGINX_HTTP_PORT=80
+#HOST_NGINX_HTTPS_PORT=443
+
+# (For the Nginx Jinja2 proxy snippet)
+#LOGOUT_SERVICE_HOST=logout-service
+#LOGOUT_SERVICE_PORT=8000
--- a/roles/web-svc-logout/templates/logout-proxy.conf.j2
+++ b/roles/web-svc-logout/templates/logout-proxy.conf.j2
@@ -0,0 +1,20 @@
+location = /logout {
+    # Proxy to the logout service
+    proxy_pass         http://127.0.0.1:{{ ports.localhost.http['web-svc-logout'] }}/logout;
+    proxy_set_header   Host              $host;
+    proxy_set_header   X-Real-IP         $remote_addr;
+    proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;
+    proxy_set_header   X-Forwarded-Proto $scheme;
+    proxy_http_version 1.1;
+
+    # CORS headers – allow your central page to call this
+    add_header 'Access-Control-Allow-Origin'  '{{ domains | get_url('web-svc-logout', web_protocol) }}' always;
+    add_header 'Access-Control-Allow-Credentials' 'true'                     always;
+    add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS'               always;
+    add_header 'Access-Control-Allow-Headers' 'Accept, Authorization'     always;
+
+    # Handle preflight
+    if ($request_method = OPTIONS) {
+      return 204;
+    }
+}