kevinveenbirkenbach/computer-playbook
1
0
Fork 0
mirror of https://github.com/kevinveenbirkenbach/computer-playbook.git synced 2025-12-03 07:59:42 +00:00
Code Issues Packages Projects Releases Wiki Activity

Improve logout patch debug and tighten detection

Browse Source 
- Add debugMode parameter to initLogoutPatch with structured console logging
- Pass MODE_DEBUG into logout_one_liner init call
- Exclude <form> elements and large text blocks from logout candidates to avoid mapping LAM user list form as logout

Ref: https://chatgpt.com/share/692b325e-37c0-800f-bb5a-129aae4c65f8
This commit is contained in:
Kevin Veen-Birkenbach
2025-11-29 18:53:03 +01:00
parent 26dfab147d
commit 86760a4be7
2 changed files with 95 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files

119
roles/sys-front-inj-logout/files/logout.js
View File

@@ -1,29 +1,57 @@
/* logoutPatch.js */ /* logoutPatch.js */
(function(global) { (function(global) {
/** /**
* Initialize the logout patch script. * Initialize the logout patch script.
* @param {string} logoutUrlBase - Base logout URL (e.g., from your OIDC client). * @param {string} logoutUrlBase - Base logout URL (e.g., from your OIDC client).
* @param {string} webProtocol - Protocol to use (e.g., "https"). * @param {string} webProtocol - Protocol to use (e.g., "https").
* @param {string} primaryDomain - Primary domain (e.g., "example.com"). * @param {string} primaryDomain - Primary domain (e.g., "example.com").
* @param {boolean} debugMode - If true, debug logging is enabled.
*/ */
function initLogoutPatch(logoutUrlBase, webProtocol, primaryDomain) { function initLogoutPatch(logoutUrlBase, webProtocol, primaryDomain, debugMode) {
const DEBUG = !!debugMode;
function log(reason, el, extra) {
if (!DEBUG) return;
console.debug('[logoutPatch]', reason, extra || {}, el || null);
}
const redirectUri = encodeURIComponent(webProtocol + '://' + primaryDomain); const redirectUri = encodeURIComponent(webProtocol + '://' + primaryDomain);
const logoutUrl = logoutUrlBase + '?redirect_uri=' + redirectUri; const logoutUrl = logoutUrlBase + '?redirect_uri=' + redirectUri;
function matchesLogout(str) { function matchesLogout(str) {
return str && /(?:^|\W)log\s*out(?:\W|$)|logout/i.test(str); const matched = str && /(?:^|\W)log\s*out(?:\W|$)|logout/i.test(str);
if (matched) log('matchesLogout', null, { value: str });
return matched;
} }
/** /**
* Returns true if any attribute name or value on the given element * Returns true if any attribute name or value on the given element
* contains the substring "logout" (case-insensitive). * contains the substring "logout" (case-insensitive).
* *
* @param {Element} element The DOM element to inspect. * @param {Element} element The DOM element to inspect.
* @returns {boolean} True if "logout" appears in any attribute name or value. * @returns {boolean} True if "logout" appears in any relevant attribute name or value.
*/ */
function containsLogoutAttribute(element) { function containsLogoutAttribute(element) {
for (const attribute of element.attributes) { for (const attribute of element.attributes) {
if (/logout/i.test(attribute.name) || /logout/i.test(attribute.value)) { const name = attribute.name || '';
const value = attribute.value || '';
// Strong indicator: attribute *name* contains "logout"
if (/logout/i.test(name)) {
log('containsLogoutAttribute (name match)', element, {
attrName: name,
attrValue: value
});
return true;
}
// Only consider values of semantic attributes (NOT href/action)
if ((name.startsWith('data-') || name.startsWith('aria-')) && /logout/i.test(value)) {
log('containsLogoutAttribute (data/aria value match)', element, {
attrName: name,
attrValue: value
});
return true; return true;
} }
} }
@@ -35,40 +63,63 @@
const ariaLabel = el.getAttribute('aria-label'); const ariaLabel = el.getAttribute('aria-label');
const onclick = el.getAttribute('onclick'); const onclick = el.getAttribute('onclick');
if (matchesLogout(title) || matchesLogout(ariaLabel) || matchesLogout(onclick)) return true; if (matchesLogout(title)) return true;
if (matchesLogout(ariaLabel)) return true;
if (matchesLogout(onclick)) return true;
for (const attr of el.attributes) { for (const attr of el.attributes) {
if (attr.name.startsWith('data-') && matchesLogout(attr.name + attr.value)) return true; if (attr.name.startsWith('data-') &&
matchesLogout(attr.name + attr.value)) {
log('matchesTechnicalIndicators (data-* match)', el, {
attrName: attr.name,
attrValue: attr.value
});
return true;
}
} }
if (typeof el.onclick === 'function' && matchesLogout(el.onclick.toString())) return true; if (typeof el.onclick === 'function' &&
matchesLogout(el.onclick.toString())) {
log('matchesTechnicalIndicators (onclick function match)', el);
return true;
}
if (el.tagName.toLowerCase() === 'use') { if (el.tagName.toLowerCase() === 'use') {
const href = el.getAttribute('xlink:href') || el.getAttribute('href'); const href = el.getAttribute('xlink:href') || el.getAttribute('href');
if (matchesLogout(href)) return true; if (matchesLogout(href)) {
log('matchesTechnicalIndicators (<use> href match)', el, { href });
return true;
}
} }
return false; return false;
} }
/** /**
* Apply logout redirect behavior to a matching element: * Apply logout redirect behavior to a matching element:
* Installs a capturing clickhandler to force navigation to logoutUrl * Installs a capturing clickhandler to force navigation to logoutUrl
* Always sets href/formaction/action to logoutUrl * Always sets href/formaction/action to logoutUrl
* Marks the element as patched to avoid doublebinding * Marks the element as patched to avoid doublebinding
* *
* @param {Element} el The element to override (e.g. <a>, <button>, <form>, <input>) * @param {Element} el The element to override (e.g. <a>, <button>, <form>, <input>)
* @param {string} logoutUrl The full logout URL including redirect params * @param {string} logoutUrl The full logout URL including redirect params
*/ */
function overrideLogout(el, logoutUrl) { function overrideLogout(el, logoutUrl) {
// avoid patching the same element twice // avoid patching the same element twice
if (el.dataset._logoutHandled) return; if (el.dataset._logoutHandled) {
log('overrideLogout skipped (already handled)', el);
return;
}
el.dataset._logoutHandled = "true"; el.dataset._logoutHandled = "true";
log('overrideLogout applied', el, { logoutUrl });
// show pointer cursor // show pointer cursor
el.style.cursor = 'pointer'; el.style.cursor = 'pointer';
// capturephase listener so it fires before any framework handlers // capturephase listener so it fires before any framework handlers
el.addEventListener('click', function(e) { el.addEventListener('click', function(e) {
log('click intercepted, redirecting to logoutUrl', el);
e.preventDefault(); e.preventDefault();
window.location.href = logoutUrl; window.location.href = logoutUrl;
}, { capture: true }); }, { capture: true });
@@ -92,34 +143,48 @@
function scanAndPatch(elements) { function scanAndPatch(elements) {
elements.forEach(el => { elements.forEach(el => {
const tagName = el.tagName.toLowerCase(); const tagName = el.tagName.toLowerCase();
const isPotential = ['a','button','input','form','use'].includes(tagName); const isPotential = ['a','button','input','use'].includes(tagName);
if (!isPotential) return; if (!isPotential) return;
if (
// Prevent massive matches on huge containers
let text = el.innerText;
if (text && text.length > 1000) {
text = ''; // ignore very large blocks
}
const match =
matchesLogout(el.getAttribute('name')) || matchesLogout(el.getAttribute('name')) ||
matchesLogout(el.id) || matchesLogout(el.id) ||
matchesLogout(el.className) || matchesLogout(el.className) ||
matchesLogout(el.innerText) || matchesLogout(text) ||
containsLogoutAttribute(el) || containsLogoutAttribute(el) ||
matchesTechnicalIndicators(el) matchesTechnicalIndicators(el);
) {
if (match) {
log('scanAndPatch match', el, { tagName });
overrideLogout(el, logoutUrl); overrideLogout(el, logoutUrl);
} }
}); });
} }
// Initial scan // Initial scan
log('initial scan start');
scanAndPatch(Array.from(document.querySelectorAll('*'))); scanAndPatch(Array.from(document.querySelectorAll('*')));
log('initial scan end');
// Watch for dynamic content // Watch for dynamic content
const observer = new MutationObserver(mutations => { const observer = new MutationObserver(mutations => {
mutations.forEach(mutation => { mutations.forEach(mutation => {
mutation.addedNodes.forEach(node => { mutation.addedNodes.forEach(node => {
if (!(node instanceof Element)) return; if (!(node instanceof Element)) return;
log('MutationObserver (new element)', node);
scanAndPatch([node, ...node.querySelectorAll('*')]); scanAndPatch([node, ...node.querySelectorAll('*')]);
}); });
}); });
}); });
observer.observe(document.body, { childList: true, subtree: true }); observer.observe(document.body, { childList: true, subtree: true });
log('MutationObserver attached');
} }
// Expose to global scope // Expose to global scope

5
roles/sys-front-inj-logout/templates/logout_one_liner.js.j2
View File

@@ -2,6 +2,7 @@ document.addEventListener('DOMContentLoaded', function() {
initLogoutPatch( initLogoutPatch(
'{{ OIDC.CLIENT.LOGOUT_URL }}', '{{ OIDC.CLIENT.LOGOUT_URL }}',
'{{ WEB_PROTOCOL }}', '{{ WEB_PROTOCOL }}',
'{{ PRIMARY_DOMAIN }}' '{{ PRIMARY_DOMAIN }}',
{{ MODE_DEBUG | lower }}
); );
}); });