Proxy auth logout not clearing reverse proxy session

[bonza-views]

Congrats on this project, you have done an amazing job. By far my favourite File Browser.

Is your feature request related to a problem? Please describe.
I'm using Proxy auth with an reverse SSO proxy (nginx/oauth2-proxy). Login works sweet, however the logout button in FileBrowser doesn't trigger a webserver request, logout just seems to all happen in the client. No webserver log entries are created when a user logs out. Without a specific logout URL for the reverse proxy to see, the reverse proxy cannot sign out, so the session variables are never cleared. This allows unauthorised users on the same machine to access data for another user by simply clicking the browser back button.

When using a reverse proxy with proxy auth, the sessions/cookies are managed by the reverse proxy instead of the web application. There needs to be a mechanism for the web app to inform the reverse proxy the user wants to logout.

Describe the solution you'd like
If the LOGOUT button created a HTTP request like "/logout", the reverse proxy session can be cleared.

Describe alternatives you've considered
I tried using the "/login" URL in the reverse proxy to end the session, but then you can't login.

Additional context
I could have this all wrong, so happy to be corrected.

[gtsteffaniak]

thanks! and yeah, good feature request, this functionality was added for OIDC as logoutRedirectUrl

I could add something similar for proxy auth.

[christaikobo]

Is this the same request as #471?

Just tried 0.7.6 beta, doesn't seem to work.

Config

auth:
  tokenExpirationHours: 1
  methods:
    proxy:
      enabled: true
      header: "Remote-User"
      createUser: false
      logoutRedirectUrl: https://mydoamin.com/auth/logout
    password:
      enabled: false
      minLength: 16
    noauth: false

The logout URL is still https://mydomain.com/filebrowser/api/auth/logout

[bonza-views]

Yes, similar. You were requesting a custom logout link, I didn't actually see a logout link hitting the web server, maybe the browser is caching the response?

I don't actually need the logout URL defined in FileBrowser, because I can configure the logout URL in the reverse proxy, so just the fact that there is a logout URL is enough for me. I haven't tried 0.7.6-beta so can't confirm.

[gtsteffaniak]

ah thanks I just tested, there was a nil pointer bug, let me fix that.

[gtsteffaniak]

Should be re-tagged and fixed if you download again, let me know

[christaikobo]

Happy to report that it works now!