|
- using Campaign_Tracker.Server.Authentication;
- using System.Security.Claims;
- using Microsoft.AspNetCore.Authorization;
- using Microsoft.AspNetCore.Mvc;
-
- namespace Campaign_Tracker.Server.Controllers;
-
- [ApiController]
- [Authorize]
- [Route("api/auth/logout")]
- public sealed class AuthLogoutController : ControllerBase
- {
- private readonly IKeycloakTokenClient _tokenClient;
- private readonly IAuthenticationAuditStore _auditStore;
- private readonly ILogger<AuthLogoutController> _logger;
-
- public AuthLogoutController(
- IKeycloakTokenClient tokenClient,
- IAuthenticationAuditStore auditStore,
- ILogger<AuthLogoutController> logger)
- {
- _tokenClient = tokenClient;
- _auditStore = auditStore;
- _logger = logger;
- }
-
- [HttpPost]
- public async Task<IActionResult> Logout(
- [FromBody] LogoutRequest? request,
- CancellationToken cancellationToken)
- {
- if (request is null || string.IsNullOrWhiteSpace(request.IdTokenHint))
- {
- return BadRequest();
- }
-
- var subject = User.Identity?.Name
- ?? User.FindFirstValue(ClaimTypes.NameIdentifier)
- ?? "unknown";
- var succeeded = false;
-
- try
- {
- await _tokenClient.EndSessionAsync(request.IdTokenHint, cancellationToken);
- succeeded = true;
- }
- catch (Exception ex)
- {
- _logger.LogWarning(
- ex,
- "Keycloak end-session call failed for subject {Subject}; client tokens will still be cleared.",
- subject);
- }
-
- _auditStore.RecordLogout(subject, succeeded, HttpContext.TraceIdentifier);
-
- // Always return 200 — per AC #8, client tokens must be cleared regardless of Keycloak availability.
- return Ok();
- }
- }
-
- public sealed record LogoutRequest(string IdTokenHint);
|
