Replaced nginx native with openresty for logout injection. Right now still buggy on nextcloud and espocrm

roles/srv-web-7-7-inj-logout/README.md

@@ -0,0 +1,29 @@
+# srv-web-7-7-inj-logout
+
+This role injects a catcher that intercepts all logout elements in HTML pages served by Nginx and redirects them to a centralized logout endpoint via JavaScript.
+
+## Description
+
+The `srv-web-7-7-inj-logout` Ansible role automatically embeds a lightweight JavaScript snippet into your web application's HTML responses. This script identifies logout links, buttons, forms, and other elements, overrides their target URLs, and ensures users are redirected to a central OIDC logout endpoint, providing a consistent single sign‑out experience.
+
+## Overview
+
+- **Detection**: Scans the DOM for anchors (`<a>`), buttons, inputs, forms, `use` elements and any attributes indicating logout functionality.  
+- **Override**: Rewrites logout URLs to point at your OIDC provider’s logout endpoint, including a redirect back to the application.  
+- **Dynamic content support**: Uses a `MutationObserver` to handle AJAX‑loaded or dynamically injected logout elements.  
+- **CSP integration**: Automatically appends the required script hash into your CSP policy via the role’s CSP helper.
+
+## Features
+
+- Seamless injection via Nginx `sub_filter` on `</head>`.  
+- Automatic detection of various logout mechanisms (links, buttons, forms).  
+- Centralized logout redirection for a unified user experience.  
+- No changes required in application code.  
+- Compatible with SPAs and dynamically generated content.  
+- CSP‑friendly: manages script hash for you.
+
+## Further Resources
+
+- [OpenID Connect RP-Initiated Logout](https://openid.net/specs/openid-connect-session-1_0.html#RPLogout)  
+- [Nginx `sub_filter` Module](http://nginx.org/en/docs/http/ngx_http_sub_module.html)  
+- [Ansible Role Directory Structure](https://docs.ansible.com/ansible/latest/user_guide/playbooks_roles.html#role-directory-structure)

roles/srv-web-7-7-inj-logout/meta/main.yml

@@ -1,28 +1,29 @@
 ---
 galaxy_info:
-  author: "Kevin Veen-Birkenbach"
-  description: "Injects a catcher, which catches the actions of all logout elements and redirects them to the central logout."
-  company: |
-    Kevin Veen-Birkenbach  
-    Consulting & Coaching Solutions  
-    https://www.veen.world
+  author: "Kevin Veen‑Birkenbach"
+  role_name: "srv-web-7-7-inj-logout"
+  description: >
+    Injects a JavaScript snippet via Nginx sub_filter that intercepts all logout actions
+    (links, buttons, forms) and redirects users to a centralized OIDC logout endpoint.
   license: "CyMaIS NonCommercial License (CNCL)"
   license_url: "https://s.veen.world/cncl"
   min_ansible_version: "2.9"
   platforms:
-    - name: Archlinux
-      versions:
-        - rolling
+    - name: Any
+      versions: ["all"]
   galaxy_tags:
     - nginx
+    - logout
+    - oidc
     - javascript
     - csp
     - sub_filter
-    - injection
-    - global
-  repository: "https://s.veen.world/cymais"
-  documentation: "https://s.veen.world/cymais"
-  issue_tracker_url: "https://s.veen.world/cymaisissues"
-
+  company: >
+    Kevin Veen‑Birkenbach  
+    Consulting & Coaching Solutions  
+    https://www.veen.world
+  repository: "https://github.com/kevinveenbirkenbach/cymais"
+  issue_tracker_url: "https://github.com/kevinveenbirkenbach/cymais/issues"
+  documentation: "https://github.com/kevinveenbirkenbach/cymais/tree/main/roles/srv-web-7-7-inj-logout"
 dependencies:
   - srv-web-7-4-core

roles/srv-web-7-7-inj-logout/tasks/main.yml

@@ -1,13 +1,13 @@
-# run_once_srv_web_7_7_inj_javascript: deactivated
-- name: "Load JavaScript code for '{{ application_id }}'"
+# run_once_srv_web_7_7_inj_logout: deactivated
+- name: "Load logout code for '{{ application_id }}'"
   set_fact:
-    javascript_code: "{{ lookup('template', modifier_javascript_template_file) }}"
+    logout_code: "{{ lookup('template', 'logout.js.j2') }}"
 
-- name: "Collapse Javascript code into one-liner for '{{application_id}}'"
+- name: "Collapse logout code into one-liner for '{{application_id}}'"
   set_fact:
-    javascript_code_one_liner: "{{ javascript_code | to_one_liner }}"
+    logout_code_one_liner: "{{ logout_code | to_one_liner }}"
 
-- name: "Append Javascript CSP hash for '{{application_id}}'"
+- name: "Append logout CSP hash for '{{application_id}}'"
   set_fact:
-    applications: "{{ applications | append_csp_hash(application_id, javascript_code_one_liner) }}"
+    applications: "{{ applications | append_csp_hash(application_id, logout_code_one_liner) }}"
   changed_when: false

roles/srv-web-7-7-inj-logout/templates/head_sub.j2

@@ -1 +1 @@
-<script>{{ javascript_code_one_liner | replace("'", "\\'")  }}</script>
+<script>{{ logout_code_one_liner }}</script>

roles/srv-web-7-7-inj-logout/templates/logout.js.j2

@@ -1,38 +1,100 @@
-(function() {
-  const logoutUrlBase = 'https://auth.cymais.cloud/realms/cymais.cloud/protocol/openid-connect/logout';
-  const redirectUri = encodeURIComponent('https://cymais.cloud');
-  const logoutUrl = `${logoutUrlBase}?redirect_uri=${redirectUri}`;
+(function () {
+  const logoutUrlBase = '{{ oidc.client.logout_url }}';
+  const redirectUri = encodeURIComponent('{{ web_protocol }}://{{ primary_domain }}');
+  const logoutUrl = logoutUrlBase + '?redirect_uri=' + redirectUri;
 
-  // Check if a string matches logout keywords
   function matchesLogout(str) {
-    return str && /logout|log\s*out|abmelden/i.test(str);
+    return str && /(?:^|\W)log\s*out(?:\W|$)|logout/i.test(str);
   }
 
-  // Check if any attribute name contains "logout" (case-insensitive)
   function hasLogoutAttribute(el) {
-    for (let attr of el.attributes) {
-      if (/logout/i.test(attr.name)) {
+    for (const attr of el.attributes) {
+      if (/logout/i.test(attr.name) || /\/logout/i.test(attr.value)) {
         return true;
       }
     }
     return false;
   }
 
-  // Find all elements
-  const allElements = document.querySelectorAll('*');
-  allElements.forEach(el => {
-    if (
-      matchesLogout(el.getAttribute('name')) ||
-      matchesLogout(el.id) ||
-      matchesLogout(el.className) ||
-      matchesLogout(el.innerText) ||
-      hasLogoutAttribute(el)
-    ) {
-      el.style.cursor = 'pointer';
-      el.addEventListener('click', function(event) {
-        event.preventDefault();
-        window.location.href = logoutUrl;
-      });
+  function matchesTechnicalIndicators(el) {
+    const title = el.getAttribute('title');
+    const ariaLabel = el.getAttribute('aria-label');
+    const onclick = el.getAttribute('onclick');
+
+    if (matchesLogout(title) || matchesLogout(ariaLabel) || matchesLogout(onclick)) return true;
+
+    for (const attr of el.attributes) {
+      if (attr.name.startsWith('data-') && matchesLogout(attr.name + attr.value)) return true;
     }
+
+    if (typeof el.onclick === 'function' && matchesLogout(el.onclick.toString())) return true;
+
+    if (el.tagName.toLowerCase() === 'use') {
+      const href = el.getAttribute('xlink:href') || el.getAttribute('href');
+      if (matchesLogout(href)) return true;
+    }
+
+    return false;
+  }
+
+  function overrideLogout(el) {
+    if (el.dataset._logoutHandled) return; // Prevent duplicate handling
+    el.dataset._logoutHandled = "true";
+
+    el.style.cursor = 'pointer';
+    el.addEventListener('click', function (event) {
+      event.preventDefault();
+      window.location.href = logoutUrl;
+    });
+
+    const tagName = el.tagName.toLowerCase();
+
+    if (tagName === 'a' && el.hasAttribute('href') && /\/logout/i.test(el.getAttribute('href'))) {
+      el.setAttribute('href', logoutUrl);
+    }
+
+    if ((tagName === 'button' || tagName === 'input') &&
+        el.hasAttribute('formaction') && /\/logout/i.test(el.getAttribute('formaction'))) {
+      el.setAttribute('formaction', logoutUrl);
+    }
+
+    if (tagName === 'form' && el.hasAttribute('action') && /\/logout/i.test(el.getAttribute('action'))) {
+      el.setAttribute('action', logoutUrl);
+    }
+  }
+
+  function scanAndPatch(elements) {
+    elements.forEach(el => {
+      const tagName = el.tagName.toLowerCase();
+      const isPotentialLogoutElement = ['a', 'button', 'input', 'form', 'use'].includes(tagName);
+
+      if (
+        isPotentialLogoutElement && (
+          matchesLogout(el.getAttribute('name')) ||
+          matchesLogout(el.id) ||
+          matchesLogout(el.className) ||
+          matchesLogout(el.innerText) ||
+          hasLogoutAttribute(el) ||
+          matchesTechnicalIndicators(el)
+        )
+      ) {
+        overrideLogout(el);
+      }
+    });
+  }
+
+  // Initial scan
+  scanAndPatch(document.querySelectorAll('*'));
+
+  // MutationObserver for dynamic content
+  const observer = new MutationObserver(mutations => {
+    mutations.forEach(mutation => {
+      mutation.addedNodes.forEach(node => {
+        if (!(node instanceof Element)) return;
+        scanAndPatch([node, ...node.querySelectorAll('*')]);
+      });
+    });
   });
+
+  observer.observe(document.body, { childList: true, subtree: true });
 })();

roles/srv-web-7-7-inj-logout/vars/main.yml

@@ -1 +0,0 @@
-modifier_javascript_template_file: "{{ application_id | abs_role_path_by_application_id }}/templates/javascript.js.j2"