From 0e1946d190f8488370c4eb645fec6f5cfa20f860 Mon Sep 17 00:00:00 2001
From: Jan Klattenhoff <jan@kjan.email>
Date: Wed, 2 Apr 2025 16:33:28 +0200
Subject: [PATCH] refactor(auth): clean up login and logout logic

---
 .../login-success/login-success.component.ts  |  6 ----
 frontend/src/app/service/auth.service.ts      | 32 +++++++++++--------
 2 files changed, 19 insertions(+), 19 deletions(-)

diff --git a/frontend/src/app/feature/login-success/login-success.component.ts b/frontend/src/app/feature/login-success/login-success.component.ts
index eb873ea..4453f13 100644
--- a/frontend/src/app/feature/login-success/login-success.component.ts
+++ b/frontend/src/app/feature/login-success/login-success.component.ts
@@ -17,13 +17,7 @@ export default class LoginSuccessComponent implements OnInit {
   private router: Router = inject(Router);
 
   async ngOnInit() {
-
     try {
-      // Handle code flow without throwing errors
-      const success = await this.oauthService.loadDiscoveryDocumentAndTryLogin();
-
-      // If we have a valid access token, the user should be loaded in AuthService
-      const user = this.authService.getUser();
 
       // Check if we're authenticated
       if (this.oauthService.hasValidAccessToken()) {
diff --git a/frontend/src/app/service/auth.service.ts b/frontend/src/app/service/auth.service.ts
index e9df1f7..bf0668a 100644
--- a/frontend/src/app/service/auth.service.ts
+++ b/frontend/src/app/service/auth.service.ts
@@ -4,7 +4,7 @@ import { UserService } from './user.service';
 import { User } from '../model/User';
 import { Router } from '@angular/router';
 import { environment } from '../../environments/environment';
-import { catchError, from, of, tap } from 'rxjs';
+import { catchError, from, of } from 'rxjs';
 
 @Injectable({
   providedIn: 'root',
@@ -17,6 +17,10 @@ export class AuthService {
     scope: `openid email profile ${environment.OAUTH_CLIENT_ID}`,
     responseType: 'code',
     redirectUri: window.location.origin + '/auth/callback',
+    // Important - use empty post logout redirect URI to prevent auto-redirect
+    postLogoutRedirectUri: '',
+    // Don't use redirect URI as fallback for post logout
+    redirectUriAsPostLogoutRedirectUriFallback: false,
     oidc: true,
     requestAccessToken: true,
     // Explicitly set token endpoint since discovery is failing
@@ -60,7 +64,7 @@ export class AuthService {
     // Try to exchange the authorization code for tokens
     this.oauthService
       .tryLogin({
-        onTokenReceived: (context) => {
+        onTokenReceived: () => {
           // Manually create a token_received event
           this.handleSuccessfulLogin();
         },
@@ -75,7 +79,6 @@ export class AuthService {
     this.oauthService
       .loadDiscoveryDocumentAndTryLogin()
       .then((isLoggedIn) => {
-
         if (isLoggedIn && !this.user) {
           this.handleSuccessfulLogin();
         }
@@ -87,16 +90,13 @@ export class AuthService {
 
   private setupEventHandling() {
     this.oauthService.events.subscribe((event: OAuthEvent) => {
-
       if (event.type === 'token_received') {
         this.handleSuccessfulLogin();
-      } else if (event.type === 'token_refresh_error' || event.type === 'token_expires') {
       }
     });
   }
 
   private handleSuccessfulLogin() {
-
     // Extract claims from id token if available
     const claims = this.oauthService.getIdentityClaims();
 
@@ -110,7 +110,6 @@ export class AuthService {
     try {
       from(this.oauthService.loadUserProfile())
         .pipe(
-          tap((profile) => {}),
           catchError((error) => {
             console.error('Error loading user profile:', error);
             // If we can't load the profile but have a token, create a minimal profile
@@ -188,13 +187,20 @@ export class AuthService {
   logout() {
     try {
       this.user = null;
-      
+
       // Prevent redirect to Authentik by doing a local logout only
       // Instead of using oauthService.logOut() which redirects to the provider
-      
-      // Clear tokens from storage
-      this.oauthService.logOut(false); // logOut(false) prevents redirect
-      
+
+      // Clear tokens from storage without redirecting
+      // The parameter noRedirectToLogoutUrl=true prevents redirect to the identity provider
+      this.oauthService.logOut(true); // true means: don't redirect to Authentik logout page
+
+      // Override any post-logout redirect URI that might be configured
+      if (window.location.href.includes('id_token') || window.location.href.includes('logout')) {
+        // If we somehow ended up at a logout URL, redirect back to the app
+        window.location.href = window.location.origin;
+      }
+
       // Clear any lingering tokens manually
       localStorage.removeItem('access_token');
       localStorage.removeItem('id_token');
@@ -202,7 +208,7 @@ export class AuthService {
       sessionStorage.removeItem('access_token');
       sessionStorage.removeItem('id_token');
       sessionStorage.removeItem('refresh_token');
-      
+
       // Navigate to landing page
       this.router.navigate(['/']);
     } catch (err) {