feat: added logout POST route

2025-02-23 13:05:33 +01:00 · 2025-02-23 13:05:33 +01:00 · 166ae172d0
commit 166ae172d0
parent 2f8181491a
2 changed files with 66 additions and 3 deletions
--- a/src/server/gpodder/auth.rs
+++ b/src/server/gpodder/auth.rs
@ -20,8 +20,12 @@ use crate::{
    },
 };

+const SESSION_ID_COOKIE: &str = "sessionid";
+
 pub fn router() -> Router<Context> {
-    Router::new().route("/{username}/login.json", post(post_login))
+    Router::new()
+        .route("/{username}/login.json", post(post_login))
+        .route("/{username}/logout.json", post(post_logout))
 }

 async fn post_login(
@ -47,5 +51,42 @@ async fn post_login(
    .await
    .unwrap()?;

-    Ok(jar.add(Cookie::build(("sessionid", session.id.to_string())).expires(Expiration::Session)))
+    Ok(jar.add(
+        Cookie::build((SESSION_ID_COOKIE, session.id.to_string())).expires(Expiration::Session),
+    ))
+}
+
+async fn post_logout(
+    State(ctx): State<Context>,
+    Path(username): Path<String>,
+    jar: CookieJar,
+) -> AppResult<CookieJar> {
+    if let Some(session_id) = jar.get(SESSION_ID_COOKIE) {
+        let session_id: i64 = session_id
+            .value()
+            .parse()
+            .map_err(|_| AppError::BadRequest)?;
+
+        tokio::task::spawn_blocking(move || {
+            if let Some(session) = Session::by_id(&ctx.pool, session_id)? {
+                let user = session.user(&ctx.pool)?;
+
+                // The requested user to logout should be the same as the one linked to the session
+                // ID
+                if username == user.username {
+                    Ok(session.remove(&ctx.pool)?)
+                } else {
+                    Err(AppError::BadRequest)
+                }
+            } else {
+                Ok(false)
+            }
+        })
+        .await
+        .unwrap()?;
+
+        Ok(jar.remove(SESSION_ID_COOKIE))
+    } else {
+        Ok(jar)
+    }
 }