kevinveenbirkenbach/computer-playbook
1
0
Fork 0
mirror of https://github.com/kevinveenbirkenbach/computer-playbook.git synced 2025-10-22 14:05:33 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
3da645f3b8b8464a2ab51518252209e6ad059b37
computer-playbook/roles/sys-front-inj-logout
History
Kevin Veen-Birkenbach a996e2190f feat(logout): wire injector to web-svc-logout and add robust CORS/CSP for /logout 
- sys-front-inj-logout: depend on web-svc-logout (run-once guarded) and simplify task flow.
- web-svc-logout: align feature flags/formatting and extend CSP:
  - add cdn.jsdelivr.net to connect/script/style and quote values.
- Nginx: move CORS config into logout-proxy.conf.j2 with dynamic vars:
  - Access-Control-Allow-Origin set to canonical logout origin,
  - Allow-Credentials=true,
  - Allow-Methods=GET, OPTIONS,
  - basic headers list (Accept, Authorization),
  - cache disabled for /logout responses.
- Drop obsolete CORS var passing from 01_core.yml; headers now templated at proxy layer.

Prepares clean cross-origin logout orchestration from https://logout.veen.world.

Refs: ChatGPT discussion – https://chatgpt.com/share/68ebb75f-0170-800f-93c5-e5cb438b8ed4
2025-10-12 16:16:47 +02:00
..
meta
tasks
feat(logout): wire injector to web-svc-logout and add robust CORS/CSP for /logout
2025-10-12 16:16:47 +02:00
templates
vars
README.md

README.md

sys-front-inj-logout

This role injects a catcher that intercepts all logout elements in HTML pages served by Nginx and redirects them to a centralized logout endpoint via JavaScript.

Description

The sys-front-inj-logout Ansible role automatically embeds a lightweight JavaScript snippet into your web application's HTML responses. This script identifies logout links, buttons, forms, and other elements, overrides their target URLs, and ensures users are redirected to a central OIDC logout endpoint, providing a consistent single signout experience.

Overview

  • Detection: Scans the DOM for anchors (<a>), buttons, inputs, forms, use elements and any attributes indicating logout functionality.
  • Override: Rewrites logout URLs to point at your OIDC providers logout endpoint, including a redirect back to the application.
  • Dynamic content support: Uses a MutationObserver to handle AJAXloaded or dynamically injected logout elements.
  • CSP integration: Automatically appends the required script hash into your CSP policy via the roles CSP helper.

Features

  • Seamless injection via Nginx sub_filter on </head>.
  • Automatic detection of various logout mechanisms (links, buttons, forms).
  • Centralized logout redirection for a unified user experience.
  • No changes required in application code.
  • Compatible with SPAs and dynamically generated content.
  • CSPfriendly: manages script hash for you.

Further Resources