Enable logout redirection for reverse proxy setups

When authentication is handled externally by a reverse proxy or SSO provider,
users can be redirected to an external logout URL or relative path
defined on the reverse proxy.
The reverse proxy or SSO provider must redirect back to Gitea for terminating
the local session.

Author: eliroca

custom/conf/app.example.ini

@@ -468,6 +468,13 @@ INTERNAL_TOKEN =
 ;REVERSE_PROXY_AUTHENTICATION_EMAIL = X-WEBAUTH-EMAIL
 ;REVERSE_PROXY_AUTHENTICATION_FULL_NAME = X-WEBAUTH-FULLNAME
 ;;
+;; URL or path that Gitea should redirect users to *before* performing its
+;; own logout. Use this when logout is handled by a reverse proxy or SSO.
+;; The external logout endpoint (reverse proxy / IdP) must then redirect
+;; the user back to /user/logout so Gitea can terminate its local session
+;; after the global SSO logout completes.
+;REVERSE_PROXY_LOGOUT_REDIRECT = /mellon/logout?ReturnTo=/user/logout
+;;
 ;; Interpret X-Forwarded-For header or the X-Real-IP header and set this as the remote IP for the request
 ;REVERSE_PROXY_LIMIT = 1
 ;;

modules/setting/security.go

@@ -24,6 +24,7 @@ var (
 	ReverseProxyAuthUser               string
 	ReverseProxyAuthEmail              string
 	ReverseProxyAuthFullName           string
+	ReverseProxyLogoutRedirect         string
 	ReverseProxyLimit                  int
 	ReverseProxyTrustedProxies         []string
 	MinPasswordLength                  int
@@ -119,7 +120,7 @@ func loadSecurityFrom(rootCfg ConfigProvider) {
 	ReverseProxyAuthUser = sec.Key("REVERSE_PROXY_AUTHENTICATION_USER").MustString("X-WEBAUTH-USER")
 	ReverseProxyAuthEmail = sec.Key("REVERSE_PROXY_AUTHENTICATION_EMAIL").MustString("X-WEBAUTH-EMAIL")
 	ReverseProxyAuthFullName = sec.Key("REVERSE_PROXY_AUTHENTICATION_FULL_NAME").MustString("X-WEBAUTH-FULLNAME")
-
+	ReverseProxyLogoutRedirect = sec.Key("REVERSE_PROXY_LOGOUT_REDIRECT").MustString("")
 	ReverseProxyLimit = sec.Key("REVERSE_PROXY_LIMIT").MustInt(1)
 	ReverseProxyTrustedProxies = sec.Key("REVERSE_PROXY_TRUSTED_PROXIES").Strings(",")
 	if len(ReverseProxyTrustedProxies) == 0 {

modules/templates/helper.go

@@ -139,6 +139,9 @@ func NewFuncMap() template.FuncMap {
 		"MermaidMaxSourceCharacters": func() int {
 			return setting.MermaidMaxSourceCharacters
 		},
+		"ReverseProxyLogoutRedirect": func() string {
+			return setting.ReverseProxyLogoutRedirect
+		},
 
 		// -----------------------------------------------------------------
 		// render

routers/web/auth/auth.go

@@ -416,6 +416,10 @@ func SignOut(ctx *context.Context) {
 		})
 	}
 	HandleSignOut(ctx)
+	if ctx.Req.Method == http.MethodGet {
+		ctx.Redirect(setting.AppSubURL + "/")
+		return
+	}
 	ctx.JSONRedirect(setting.AppSubURL + "/")
 }
 

routers/web/web.go

@@ -694,6 +694,7 @@ func registerWebRoutes(m *web.Router) {
 		m.Post("/recover_account", auth.ResetPasswdPost)
 		m.Get("/forgot_password", auth.ForgotPasswd)
 		m.Post("/forgot_password", auth.ForgotPasswdPost)
+		m.Get("/logout", auth.SignOut)
 		m.Post("/logout", auth.SignOut)
 		m.Get("/stopwatches", reqSignIn, user.GetStopwatches)
 		m.Get("/search_candidates", optExploreSignIn, user.SearchCandidates)

templates/base/head_navbar.tmpl

@@ -55,7 +55,9 @@
 					</div>
 
 					<div class="divider"></div>
-					<a class="item link-action" href data-url="{{AppSubUrl}}/user/logout">
+					<a class="item {{if not ReverseProxyLogoutRedirect}}link-action{{end}}"
+					{{if ReverseProxyLogoutRedirect}}href="{{ReverseProxyLogoutRedirect}}"
+					{{else}}href data-url="{{AppSubUrl}}/user/logout"{{end}}>
 						{{svg "octicon-sign-out"}}
 						{{ctx.Locale.Tr "sign_out"}}
 					</a>
@@ -128,7 +130,9 @@
 					</a>
 					{{end}}
 					<div class="divider"></div>
-					<a class="item link-action" href data-url="{{AppSubUrl}}/user/logout">
+					<a class="item {{if not ReverseProxyLogoutRedirect}}link-action{{end}}"
+					{{if ReverseProxyLogoutRedirect}}href="{{ReverseProxyLogoutRedirect}}"
+					{{else}}href data-url="{{AppSubUrl}}/user/logout"{{end}}>
 						{{svg "octicon-sign-out"}}
 						{{ctx.Locale.Tr "sign_out"}}
 					</a>