From 4bca09435335528bbce1e8f4579fbaa9d6150ed1 Mon Sep 17 00:00:00 2001
From: Vitaly Takmazov
Date: Sun, 21 Jan 2024 16:06:54 +0300
Subject: Delete login hash on logout

---
 src/main/java/com/juick/config/SecurityConfig.java | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

(limited to 'src/main/java/com/juick/config')

diff --git a/src/main/java/com/juick/config/SecurityConfig.java b/src/main/java/com/juick/config/SecurityConfig.java
index c557ab4e..030cdcc2 100644
--- a/src/main/java/com/juick/config/SecurityConfig.java
+++ b/src/main/java/com/juick/config/SecurityConfig.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008-2023, Juick
+ * Copyright (C) 2008-2024, Juick
  *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU Affero General Public License as
@@ -19,7 +19,6 @@ package com.juick.config;
 
 import com.juick.ActivityPubManager;
 import com.juick.KeystoreManager;
-import com.juick.service.ActivityPubService;
 import com.juick.service.UserService;
 import com.juick.service.security.HTTPSignatureAuthenticationFilter;
 import com.juick.service.security.HashParamAuthenticationFilter;
@@ -42,6 +41,7 @@ import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
 import org.springframework.security.config.http.SessionCreationPolicy;
+import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.oauth2.jwt.JwtDecoder;
 import org.springframework.security.oauth2.server.authorization.client.JdbcRegisteredClientRepository;
@@ -268,6 +268,16 @@ public class SecurityConfig {
                         .invalidateHttpSession(true)
                         .clearAuthentication(true)
                         .logoutSuccessUrl("/login")
+                        .addLogoutHandler((request, response, authentication) -> {
+                            var auth = SecurityContextHolder.getContext().getAuthentication();
+                            if (auth != null) {
+                                var principal = auth.getPrincipal();
+                                if (principal instanceof JuickUser) {
+                                    var user = ((JuickUser) principal).getUser();
+                                    userService.logout(user.getUid());
+                                }
+                            }
+                        })
                         .deleteCookies("hash", COOKIE_NAME))
                 .formLogin(form -> form.loginPage("/login")
                         .usernameParameter("username")
-- 
cgit v1.2.3