275 lines
7.4 KiB
JavaScript
275 lines
7.4 KiB
JavaScript
const { createRemoteJWKSet, jwtVerify } = require('jose');
|
|
|
|
const BACKCHANNEL_LOGOUT_EVENT_URI =
|
|
'http://schemas.openid.net/event/backchannel-logout';
|
|
const LOGOUT_TOKEN_REPLAY_TTL_MS = 10 * 60 * 1000;
|
|
|
|
function createBackchannelLogoutManager(options) {
|
|
const {
|
|
issuerUrl,
|
|
clientId,
|
|
jwksUrl,
|
|
sessionStore,
|
|
logger = console,
|
|
} = options;
|
|
|
|
if (!issuerUrl) {
|
|
throw new Error('issuerUrl is required');
|
|
}
|
|
if (!clientId) {
|
|
throw new Error('clientId is required');
|
|
}
|
|
if (!jwksUrl) {
|
|
throw new Error('jwksUrl is required');
|
|
}
|
|
if (!sessionStore || typeof sessionStore.destroy !== 'function') {
|
|
throw new Error('sessionStore.destroy is required');
|
|
}
|
|
|
|
const sidToSessionIds = new Map();
|
|
const subToSessionIds = new Map();
|
|
const sessionIdToBinding = new Map();
|
|
const processedLogoutTokens = new Map();
|
|
const jwks = createRemoteJWKSet(new URL(jwksUrl));
|
|
|
|
function addSessionBinding(map, key, sessionId) {
|
|
if (!key) {
|
|
return;
|
|
}
|
|
|
|
let existing = map.get(key);
|
|
if (!existing) {
|
|
existing = new Set();
|
|
map.set(key, existing);
|
|
}
|
|
existing.add(sessionId);
|
|
}
|
|
|
|
function removeSessionBindingFromMap(map, key, sessionId) {
|
|
if (!key) {
|
|
return;
|
|
}
|
|
|
|
const existing = map.get(key);
|
|
if (!existing) {
|
|
return;
|
|
}
|
|
|
|
existing.delete(sessionId);
|
|
if (existing.size === 0) {
|
|
map.delete(key);
|
|
}
|
|
}
|
|
|
|
function removeSessionBinding(sessionId) {
|
|
const existing = sessionIdToBinding.get(sessionId);
|
|
if (!existing) {
|
|
return;
|
|
}
|
|
|
|
removeSessionBindingFromMap(sidToSessionIds, existing.sid, sessionId);
|
|
removeSessionBindingFromMap(subToSessionIds, existing.sub, sessionId);
|
|
sessionIdToBinding.delete(sessionId);
|
|
|
|
logger.log('[세션 매핑] 제거 완료', {
|
|
sessionId,
|
|
sid: existing.sid || '(없음)',
|
|
sub: existing.sub || '(없음)',
|
|
});
|
|
}
|
|
|
|
function registerSessionBinding(sessionId, claims) {
|
|
const sid = typeof claims?.sid === 'string' ? claims.sid.trim() : '';
|
|
const sub = typeof claims?.sub === 'string' ? claims.sub.trim() : '';
|
|
|
|
removeSessionBinding(sessionId);
|
|
sessionIdToBinding.set(sessionId, { sid, sub });
|
|
addSessionBinding(sidToSessionIds, sid, sessionId);
|
|
addSessionBinding(subToSessionIds, sub, sessionId);
|
|
|
|
logger.log('[세션 매핑] 등록 완료', {
|
|
sessionId,
|
|
sid: sid || '(없음)',
|
|
sub: sub || '(없음)',
|
|
sidSessionCount: sid ? sidToSessionIds.get(sid)?.size || 0 : 0,
|
|
subSessionCount: sub ? subToSessionIds.get(sub)?.size || 0 : 0,
|
|
});
|
|
}
|
|
|
|
function getSessionIdsForLogoutClaims(claims) {
|
|
const targets = new Set();
|
|
const sid = typeof claims?.sid === 'string' ? claims.sid.trim() : '';
|
|
const sub = typeof claims?.sub === 'string' ? claims.sub.trim() : '';
|
|
|
|
if (sid && sidToSessionIds.has(sid)) {
|
|
for (const sessionId of sidToSessionIds.get(sid)) {
|
|
targets.add(sessionId);
|
|
}
|
|
}
|
|
|
|
if (targets.size === 0 && sub && subToSessionIds.has(sub)) {
|
|
for (const sessionId of subToSessionIds.get(sub)) {
|
|
targets.add(sessionId);
|
|
}
|
|
}
|
|
|
|
return Array.from(targets);
|
|
}
|
|
|
|
function destroySessionById(sessionId) {
|
|
return new Promise((resolve, reject) => {
|
|
sessionStore.destroy(sessionId, (err) => {
|
|
if (err) {
|
|
reject(err);
|
|
return;
|
|
}
|
|
resolve();
|
|
});
|
|
});
|
|
}
|
|
|
|
function cleanupProcessedLogoutTokens(now = Date.now()) {
|
|
for (const [jti, expiresAt] of processedLogoutTokens.entries()) {
|
|
if (expiresAt <= now) {
|
|
processedLogoutTokens.delete(jti);
|
|
}
|
|
}
|
|
}
|
|
|
|
function rememberProcessedLogoutToken(jti) {
|
|
cleanupProcessedLogoutTokens();
|
|
if (processedLogoutTokens.has(jti)) {
|
|
return false;
|
|
}
|
|
processedLogoutTokens.set(jti, Date.now() + LOGOUT_TOKEN_REPLAY_TTL_MS);
|
|
return true;
|
|
}
|
|
|
|
async function verifyLogoutToken(logoutToken) {
|
|
const { payload, protectedHeader } = await jwtVerify(logoutToken, jwks, {
|
|
issuer: issuerUrl,
|
|
audience: clientId,
|
|
});
|
|
|
|
if (payload.nonce !== undefined) {
|
|
throw new Error('logout_token must not include nonce');
|
|
}
|
|
|
|
if (!payload.events || typeof payload.events !== 'object') {
|
|
throw new Error('logout_token is missing events claim');
|
|
}
|
|
|
|
if (!(BACKCHANNEL_LOGOUT_EVENT_URI in payload.events)) {
|
|
throw new Error('logout_token is missing back-channel logout event');
|
|
}
|
|
|
|
const sid = typeof payload.sid === 'string' ? payload.sid.trim() : '';
|
|
const sub = typeof payload.sub === 'string' ? payload.sub.trim() : '';
|
|
if (!sid && !sub) {
|
|
throw new Error('logout_token requires sid or sub');
|
|
}
|
|
|
|
const jti = typeof payload.jti === 'string' ? payload.jti.trim() : '';
|
|
if (!jti) {
|
|
throw new Error('logout_token is missing jti');
|
|
}
|
|
if (!rememberProcessedLogoutToken(jti)) {
|
|
throw new Error('logout_token replay detected');
|
|
}
|
|
|
|
logger.log('[백채널 로그아웃] 토큰 검증 성공', {
|
|
alg: protectedHeader.alg,
|
|
kid: protectedHeader.kid || '(없음)',
|
|
iss: payload.iss,
|
|
aud: payload.aud,
|
|
sid: sid || '(없음)',
|
|
sub: sub || '(없음)',
|
|
jti,
|
|
});
|
|
|
|
return {
|
|
sid,
|
|
sub,
|
|
jti,
|
|
payload,
|
|
};
|
|
}
|
|
|
|
async function destroySessionsForLogout(claims) {
|
|
const sessionIds = getSessionIdsForLogoutClaims(claims);
|
|
let destroyedCount = 0;
|
|
|
|
logger.log('[백채널 로그아웃] 세션 탐색 결과', {
|
|
sid: claims.sid || '(없음)',
|
|
sub: claims.sub || '(없음)',
|
|
matchedSessionIds: sessionIds,
|
|
});
|
|
|
|
for (const sessionId of sessionIds) {
|
|
removeSessionBinding(sessionId);
|
|
try {
|
|
await destroySessionById(sessionId);
|
|
destroyedCount += 1;
|
|
logger.log('[백채널 로그아웃] 세션 파기 완료', { sessionId });
|
|
} catch (error) {
|
|
logger.error('[백채널 로그아웃] 세션 파기 실패', {
|
|
sessionId,
|
|
error: error.message,
|
|
});
|
|
}
|
|
}
|
|
|
|
return { sessionIds, destroyedCount };
|
|
}
|
|
|
|
async function handleBackchannelLogout(req, res) {
|
|
const logoutToken = typeof req.body.logout_token === 'string'
|
|
? req.body.logout_token.trim()
|
|
: '';
|
|
|
|
logger.log('\n[백채널 로그아웃] 요청 수신', {
|
|
hasLogoutToken: logoutToken !== '',
|
|
contentType: req.headers['content-type'] || '(없음)',
|
|
userAgent: req.headers['user-agent'] || '(없음)',
|
|
});
|
|
|
|
if (!logoutToken) {
|
|
logger.warn('[백채널 로그아웃] logout_token 누락');
|
|
return res.status(400).json({ error: 'logout_token is required' });
|
|
}
|
|
|
|
try {
|
|
const claims = await verifyLogoutToken(logoutToken);
|
|
const result = await destroySessionsForLogout(claims);
|
|
|
|
logger.log('[백채널 로그아웃] 처리 완료', {
|
|
sid: claims.sid || '(없음)',
|
|
sub: claims.sub || '(없음)',
|
|
destroyedCount: result.destroyedCount,
|
|
sessionIds: result.sessionIds,
|
|
});
|
|
|
|
return res.status(200).json({
|
|
success: true,
|
|
destroyedSessionCount: result.destroyedCount,
|
|
});
|
|
} catch (error) {
|
|
logger.error('[백채널 로그아웃] 검증 또는 세션 정리 실패', error);
|
|
return res.status(400).json({
|
|
error: 'invalid logout token',
|
|
detail: error.message,
|
|
});
|
|
}
|
|
}
|
|
|
|
return {
|
|
registerSessionBinding,
|
|
removeSessionBinding,
|
|
handleBackchannelLogout,
|
|
};
|
|
}
|
|
|
|
module.exports = {
|
|
createBackchannelLogoutManager,
|
|
};
|