feat(logout): wire injector to web-svc-logout and add robust CORS/CSP for /logout

- sys-front-inj-logout: depend on web-svc-logout (run-once guarded) and simplify task flow. - web-svc-logout: align feature flags/formatting and extend CSP: - add cdn.jsdelivr.net to connect/script/style and quote values. - Nginx: move CORS config into logout-proxy.conf.j2 with dynamic vars: - Access-Control-Allow-Origin set to canonical logout origin, - Allow-Credentials=true, - Allow-Methods=GET, OPTIONS, - basic headers list (Accept, Authorization), - cache disabled for /logout responses. - Drop obsolete CORS var passing from 01_core.yml; headers now templated at proxy layer. Prepares clean cross-origin logout orchestration from https://logout.veen.world. Refs: ChatGPT discussion – https://chatgpt.com/share/68ebb75f-0170-800f-93c5-e5cb438b8ed4
2025-10-20 21:15:33 +00:00 · 2025-10-12 16:16:47 +02:00
parent 7dccffd52d
commit a996e2190f
5 changed files with 23 additions and 21 deletions
--- a/roles/web-svc-logout/config/main.yml
+++ b/roles/web-svc-logout/config/main.yml
@@ -1,9 +1,9 @@
 features:
-  matomo:           true
-  css:              true
-  desktop:  true
-  javascript:       false
-  logout:           false
+  matomo:     true
+  css:        true
+  desktop:    true
+  javascript: false
+  logout:     false
 server:
  domains:
    canonical:
@@ -19,10 +19,11 @@ server:
      connect-src:
        - "{{ WEB_PROTOCOL }}://*.{{ PRIMARY_DOMAIN }}"
        - "{{ WEB_PROTOCOL }}://{{ PRIMARY_DOMAIN }}"
+        - "https://cdn.jsdelivr.net"
      script-src-elem:
-        - https://cdn.jsdelivr.net
+        - "https://cdn.jsdelivr.net"
      style-src-elem:
-        - https://cdn.jsdelivr.net
+        - "https://cdn.jsdelivr.net"
      frame-ancestors:
        - "{{ WEB_PROTOCOL }}://<< defaults_applications[web-app-keycloak].server.domains.canonical[0] >>"

--- a/roles/web-svc-logout/tasks/01_core.yml
+++ b/roles/web-svc-logout/tasks/01_core.yml
@@ -21,11 +21,6 @@
 - name: "load docker, proxy for '{{ application_id }}'"
  include_role:
    name: sys-stk-full-stateless
-  vars:
-      aca_origin:       "'{{ domains | get_url('web-svc-logout', WEB_PROTOCOL) }}' always"
-      aca_credentials:  "'true' always"
-      aca_methods:      "'GET, OPTIONS' always"
-      aca_headers:      "'Accept, Authorization' always"

 - name: Create symbolic link from .env file to repository
  file:
--- a/roles/web-svc-logout/templates/logout-proxy.conf.j2
+++ b/roles/web-svc-logout/templates/logout-proxy.conf.j2
@@ -8,7 +8,11 @@ location = /logout {
    proxy_http_version 1.1;

    {# CORS headers – allow your central page to call this #}
-    {% include 'roles/sys-svc-proxy/templates/headers/access_control_allow.conf.j2' %}
+    {%- set aca_origin = "'{{ domains | get_url('web-svc-logout', WEB_PROTOCOL) }}' always" -%}
+    {%- set aca_credentials = "'true' always" -%}
+    {%- set aca_methods = "'GET, OPTIONS' always" -%}
+    {%- set aca_headers = "'Accept, Authorization' always" -%}
+    {%- include 'roles/sys-svc-proxy/templates/headers/access_control_allow.conf.j2' -%}

    {# Disable caching absolutely #}
    add_header Cache-Control "no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0" always;