feat: add different logout behaviors

Author: hf

internal/api/logout.go

@@ -1,19 +1,42 @@
 package api
 
 import (
+	"fmt"
 	"net/http"
 
 	"github.com/supabase/gotrue/internal/models"
 	"github.com/supabase/gotrue/internal/storage"
 )
 
+type LogoutBehavior string
+
+const (
+	LogoutGlobal LogoutBehavior = "global"
+	LogoutLocal  LogoutBehavior = "local"
+	LogoutOthers LogoutBehavior = "others"
+)
+
 // Logout is the endpoint for logging out a user and thereby revoking any refresh tokens
 func (a *API) Logout(w http.ResponseWriter, r *http.Request) error {
 	ctx := r.Context()
 	db := a.db.WithContext(ctx)
 	config := a.config
 
-	a.clearCookieTokens(config, w)
+	behavior := LogoutGlobal
+
+	switch r.URL.Query().Get("behavior") {
+	case "", "global":
+		behavior = LogoutGlobal
+
+	case "local":
+		behavior = LogoutLocal
+
+	case "others":
+		behavior = LogoutOthers
+
+	default:
+		return badRequestError(fmt.Sprintf("Unsupported logout behavior %q", r.URL.Query().Get("behavior")))
+	}
 
 	s := getSession(ctx)
 	u := getUser(ctx)
@@ -22,15 +45,28 @@ func (a *API) Logout(w http.ResponseWriter, r *http.Request) error {
 		if terr := models.NewAuditLogEntry(r, tx, u, models.LogoutAction, "", nil); terr != nil {
 			return terr
 		}
+
 		if s != nil {
-			return models.Logout(tx, u.ID)
+			return models.LogoutAllRefreshTokens(tx, u.ID)
+		}
+
+		switch behavior {
+		case LogoutLocal:
+			return models.LogoutSession(tx, s.ID)
+
+		case LogoutOthers:
+			return models.LogoutAllExceptMe(tx, s.ID, u.ID)
 		}
-		return models.LogoutAllRefreshTokens(tx, u.ID)
+
+		// default mode, log out everywhere
+		return models.Logout(tx, u.ID)
 	})
 	if err != nil {
 		return internalServerError("Error logging out user").WithInternalError(err)
 	}
 
+	a.clearCookieTokens(config, w)
 	w.WriteHeader(http.StatusNoContent)
+
 	return nil
 }

internal/api/logout_test.go

@@ -4,6 +4,7 @@ import (
 	"fmt"
 	"net/http"
 	"net/http/httptest"
+	"net/url"
 	"testing"
 	"time"
 
@@ -48,18 +49,29 @@ func (ts *LogoutTestSuite) SetupTest() {
 }
 
 func (ts *LogoutTestSuite) TestLogoutSuccess() {
-	req := httptest.NewRequest(http.MethodPost, "http://localhost/logout", nil)
-	req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", ts.token))
-	w := httptest.NewRecorder()
+	for _, behavior := range []string{"", "global", "local", "others"} {
+		reqURL, err := url.ParseRequestURI("http://localhost/logout")
+		require.NoError(ts.T(), err)
 
-	ts.API.handler.ServeHTTP(w, req)
-	require.Equal(ts.T(), http.StatusNoContent, w.Code)
+		if behavior != "" {
+			query := reqURL.Query()
+			query.Set("behavior", behavior)
+			reqURL.RawQuery = query.Encode()
+		}
+
+		req := httptest.NewRequest(http.MethodPost, reqURL.String(), nil)
+		req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", ts.token))
+		w := httptest.NewRecorder()
+
+		ts.API.handler.ServeHTTP(w, req)
+		require.Equal(ts.T(), http.StatusNoContent, w.Code)
 
-	accessTokenKey := fmt.Sprintf("%v-access-token", ts.Config.Cookie.Key)
-	refreshTokenKey := fmt.Sprintf("%v-refresh-token", ts.Config.Cookie.Key)
-	for _, c := range w.Result().Cookies() {
-		if c.Name == accessTokenKey || c.Name == refreshTokenKey {
-			require.Equal(ts.T(), "", c.Value)
+		accessTokenKey := fmt.Sprintf("%v-access-token", ts.Config.Cookie.Key)
+		refreshTokenKey := fmt.Sprintf("%v-refresh-token", ts.Config.Cookie.Key)
+		for _, c := range w.Result().Cookies() {
+			if c.Name == accessTokenKey || c.Name == refreshTokenKey {
+				require.Equal(ts.T(), "", c.Value)
+			}
 		}
 	}
 }

openapi.yaml

@@ -155,6 +155,17 @@ paths:
       security:
         - APIKeyAuth: []
           UserAuth: []
+      parameters:
+        - name: behavior
+          in: query
+          description: >
+            (Optional.) Determines how the user should be logged out. When `global` is used, the user is logged out from all active sessions. When `local` is used, the user is logged out from the current session. When `others` is used, the user is logged out from all other sessions except the current one. Clients should remove stored access and refresh tokens except when `others` is used.
+          schema:
+            type: string
+            enum:
+              - global
+              - local
+              - others
       responses:
         204:
           description: No content returned on successful logout.