feat: nuke the siteminder session cookie on logout

According to numerous Rocket Chat threads and bcgov/ocp-sso#4 the logout function only clears the Keycloak session and never clears the SiteMinder SSO session. This fix attempts to purge the SiteMinder cookie on logout when we're deployed on a subdomain of .gov.bc.ca
bcgov · Jun 23, 2020 · 59773d7 · 59773d7
1 parent 29b96c1
commit 59773d7
Showing 1 changed file with 10 additions and 2 deletions.
diff --git a/app/server/index.js b/app/server/index.js
@@ -3,14 +3,14 @@ const http = require('http');
 const https = require('https');
 const fs = require('fs');
 const {postgraphile} = require('postgraphile');
-const next = require('next');
+const nextjs = require('next');
 const PgManyToManyPlugin = require('@graphile-contrib/pg-many-to-many');
 
 const crypto = require('crypto');
 const pg = require('pg');
 const port = Number.parseInt(process.env.PORT, 10) || 3004;
 const dev = process.env.NODE_ENV !== 'production';
-const app = next({dev});
+const app = nextjs({dev});
 const handle = app.getRequestHandler();
 const session = require('express-session');
 const PgSession = require('connect-pg-simple')(session);
@@ -183,6 +183,14 @@ app.prepare().then(() => {
   };
   const keycloak = new Keycloak({store}, kcConfig);
 
+  // Nuke the siteminder session token on logout if we can
+  // this will be ignored by the user agent unless we're
+  // currently deployed to a subdomain of gov.bc.ca
+  server.post('/logout', (_req, res, next) => {
+    res.clearCookie('SMSESSION', {domain: '.gov.bc.ca', secure: true});
+    next();
+  });
+
   server.use(
     keycloak.middleware({
       logout: '/logout',