chore: end-session and revoke

Author: ryanbas21

e2e/mock-api-v2/README.md

@@ -3,7 +3,6 @@ A mock API server for simulating Ping Identity and OpenID Connect flows, built u
 ## Features
 
 - Implements endpoints for:
-
   - Healthcheck
   - OpenID Connect Discovery
   - Davinci Authorization
@@ -77,6 +76,13 @@ pnpm test
 - Requires a valid Bearer token.
 - Returns mock user information.
 
+### End Session
+
+- `GET /:envid/as/endSession`
+- Ends the user's session.
+- Accepts `post_logout_redirect_uri` and `state` query parameters for redirects.
+- Returns a confirmation message.
+
 ## Notes
 
 - The `customHtmlRoutes` and related endpoints are not currently implemented.

e2e/mock-api-v2/src/handlers/end-session.handler.ts

@@ -0,0 +1,61 @@
+/*
+ * Copyright (c) 2025 Ping Identity Corporation. All rights reserved.
+ *
+ * This software may be modified and distributed under the terms
+ * of the MIT license. See the LICENSE file for details.
+ */
+import { Effect, Console } from 'effect';
+import { HttpApiBuilder, HttpServerRequest } from '@effect/platform';
+import { MockApi } from '../spec.js';
+import { SessionStorage } from '../services/session.service.js';
+
+export const EndSessionHandlerMock = HttpApiBuilder.group(
+  MockApi,
+  'SessionManagement',
+  (handlers) =>
+    handlers.handle('EndSession', () =>
+      Effect.gen(function* () {
+        const sessionStorage = yield* SessionStorage;
+
+        const request = yield* HttpServerRequest.HttpServerRequest;
+
+        const sessionId = request.cookies.sessionId;
+
+        if (sessionId) {
+          yield* sessionStorage.deleteSession(sessionId);
+        } else {
+          yield* Console.log('No active session');
+        }
+
+        const urlParams = request.url.includes('?')
+          ? new URLSearchParams(request.url.split('?')[1])
+          : new URLSearchParams();
+
+        const redirectUri = urlParams.get('post_logout_redirect_uri');
+        const state = urlParams.get('state');
+
+        if (redirectUri) {
+          // For a full OIDC-compliant implementation, we would validate:
+          // 1. If id_token_hint is provided, validate it
+          // 2. Verify that redirectUri is registered for this client
+
+          // Create a proper HTTP redirect (302 Found) response
+          const targetUrl = state
+            ? `${redirectUri}?state=${encodeURIComponent(state)}`
+            : redirectUri;
+
+          return {
+            status: 302,
+            headers: {
+              Location: targetUrl,
+              'Cache-Control': 'no-store',
+            },
+            body: '',
+          };
+        }
+
+        // Default response if no redirect
+        return 'Logged out successfully';
+      }).pipe(Effect.withSpan('EndSessionHandler')),
+    ),
+);

e2e/mock-api-v2/src/handlers/revoke.handler.ts

@@ -0,0 +1,31 @@
+/*
+ * Copyright (c) 2025 Ping Identity Corporation. All rights reserved.
+ *
+ * This software may be modified and distributed under the terms
+ * of the MIT license. See the LICENSE file for details.
+ */
+import { MockApi } from '../spec.js';
+import { Tokens } from '../services/tokens.service.js';
+import { HttpApiBuilder } from '@effect/platform';
+import { Effect } from 'effect';
+
+const RevokeTokenHandler = HttpApiBuilder.group(MockApi, 'TokenRevocation', (handlers) =>
+  handlers.handle('RevokeToken', () =>
+    Effect.gen(function* () {
+      const { revokeToken } = yield* Tokens;
+
+      // For simplicity in the mock API, we'll use a default token
+      // A real implementation would parse the x-www-form-urlencoded body
+      const token = 'example-token';
+      const tokenTypeHint = undefined;
+
+      yield* Effect.log('Revoking token', { token, tokenTypeHint });
+
+      const result = yield* revokeToken(token, tokenTypeHint);
+
+      return result;
+    }).pipe(Effect.withSpan('RevokeTokenHandler')),
+  ),
+);
+
+export { RevokeTokenHandler };

e2e/mock-api-v2/src/handlers/userinfo.handler.ts

@@ -10,9 +10,6 @@ import { UserInfo } from '../services/userinfo.service.js';
 import { HttpApiBuilder } from '@effect/platform';
 import { BearerToken } from '../middleware/Authorization.js';
 
-/**
- * TODO: Need to implement an Authorization middleware
- */
 const UserInfoMockHandler = HttpApiBuilder.group(MockApi, 'Protected Requests', (handlers) =>
   handlers.handle('UserInfo', () =>
     Effect.gen(function* () {

e2e/mock-api-v2/src/main.ts

@@ -23,6 +23,8 @@ import { SessionMiddlewareMock } from './middleware/Session.js';
 import { SessionStorage } from './services/session.service.js';
 import { NodeSdk } from '@effect/opentelemetry';
 import { BatchSpanProcessor, ConsoleSpanExporter } from '@opentelemetry/sdk-trace-base';
+import { EndSessionHandlerMock } from './handlers/end-session.handler.js';
+import { RevokeTokenHandler } from './handlers/revoke.handler.js';
 
 const NodeSdkLive = NodeSdk.layer(() => ({
   resource: { serviceName: 'Mock-Api' },
@@ -35,6 +37,8 @@ const APIMock = HttpApiBuilder.api(MockApi).pipe(
   Layer.provide(AuthorizeHandlerMock),
   Layer.provide(TokensHandler),
   Layer.provide(UserInfoMockHandler),
+  Layer.provide(EndSessionHandlerMock),
+  Layer.provide(RevokeTokenHandler),
 );
 
 const ServerMock = HttpApiBuilder.serve(HttpMiddleware.logger).pipe(
@@ -51,7 +55,7 @@ const ServerMock = HttpApiBuilder.serve(HttpMiddleware.logger).pipe(
   Layer.provide(
     HttpApiBuilder.middlewareCors({
       allowedMethods: ['GET', 'PUT', 'POST', 'OPTIONS'],
-      allowedOrigins: ['http://localhost:5173', 'http://localhost:8443'],
+      allowedOrigins: ['*'],
       credentials: true,
       maxAge: 3600,
     }),

e2e/mock-api-v2/src/middleware/Authorization.ts

@@ -29,9 +29,10 @@ const AuthorizationMock = Layer.effect(
           const tokenValue = Redacted.value(bearerToken);
           yield* Effect.log('checking bearer token', tokenValue);
 
-          // Here you could add validation logic if needed
-          // For now, we just pass through any token
-          if (!tokenValue || tokenValue.trim() === '') {
+          // Validation logic
+          // 1. Check if token is empty
+          // 2. Check if token has been revoked (has REVOKED_ prefix)
+          if (!tokenValue || tokenValue.trim() === '' || tokenValue.startsWith('REVOKED_')) {
             return yield* Effect.fail(new Unauthorized());
           }
 

e2e/mock-api-v2/src/middleware/CookieMiddleware.ts

@@ -22,17 +22,35 @@ const IncrementStepIndexMock = Layer.effect(
       // Parse existing stepIndex cookie or default to 0
       const cookies = request.cookies;
       const currentStepIndex = cookies.stepIndex ? parseInt(cookies.stepIndex) : 0;
-      const newStepIndex = currentStepIndex + 1;
 
-      yield* Console.log(`Current stepIndex: ${currentStepIndex}, setting to: ${newStepIndex}`);
+      // Get the request URL path
+      const urlPath = request.url.split('?')[0];
+      // Check if this is an end-session request
+      const isEndSessionRequest = urlPath.includes('/end_session');
+      // Determine the new stepIndex based on the request type
+      let newStepIndex = currentStepIndex;
+      if (isEndSessionRequest) {
+        // Reset the stepIndex for end_session requests
+        newStepIndex = 0;
+        yield* Console.log('End session request detected, resetting stepIndex to: ' + newStepIndex);
+      } else if (urlPath.includes('/authorize') || urlPath.includes('/authenticate')) {
+        // Increment the stepIndex for authorization flow requests
+        newStepIndex = currentStepIndex + 1;
+        yield* Console.log(
+          'Current stepIndex: ' + currentStepIndex + ', incrementing to: ' + newStepIndex,
+        );
+      } else {
+        // For other requests, keep the stepIndex the same
+        yield* Console.log('Request to ' + urlPath + ', keeping stepIndex at: ' + currentStepIndex);
+      }
 
-      // Set the incremented stepIndex cookie in the response
+      // Set the appropriate stepIndex cookie in the response
       yield* HttpApp.appendPreResponseHandler((request, response) =>
         HttpServerResponse.setCookie(response, 'stepIndex', String(newStepIndex), {
           // Optional cookie options
           httpOnly: false,
           secure: false,
-          sameSite: 'lax',
+          sameSite: 'strict',
         }).pipe(
           Effect.catchTag(
             'CookieError',

e2e/mock-api-v2/src/responses/revoke/revoke.ts

@@ -0,0 +1,12 @@
+/*
+ * Copyright (c) 2025 Ping Identity Corporation. All rights reserved.
+ *
+ * This software may be modified and distributed under the terms
+ * of the MIT license. See the LICENSE file for details.
+ */
+
+const revokeResponseBody = {
+  status: 'success' as const,
+};
+
+export { revokeResponseBody };

e2e/mock-api-v2/src/schemas/end-session.schema.ts

@@ -0,0 +1,26 @@
+/*
+ * Copyright (c) 2025 Ping Identity Corporation. All rights reserved.
+ *
+ * This software may be modified and distributed under the terms
+ * of the MIT license. See the LICENSE file for details.
+ */
+import { Schema } from 'effect';
+
+// Path parameters schema for the endSession endpoint
+const EndSessionPath = Schema.Struct({
+  envid: Schema.String,
+});
+
+// URL query parameters for endSession
+const EndSessionQuery = Schema.Struct({
+  id_token_hint: Schema.optional(Schema.String),
+  post_logout_redirect_uri: Schema.optional(Schema.String),
+  state: Schema.optional(Schema.String),
+});
+
+// Request headers schema
+const EndSessionHeaders = Schema.Struct({
+  cookie: Schema.optional(Schema.String),
+});
+
+export { EndSessionPath, EndSessionQuery, EndSessionHeaders };

e2e/mock-api-v2/src/schemas/revoke/revoke.schema.ts

@@ -0,0 +1,29 @@
+/*
+ * Copyright (c) 2025 Ping Identity Corporation. All rights reserved.
+ *
+ * This software may be modified and distributed under the terms
+ * of the MIT license. See the LICENSE file for details.
+ */
+import { Schema } from 'effect';
+
+// The environment ID path parameter
+const RevokePath = Schema.Struct({
+  envid: Schema.String,
+});
+
+// Request body for token revocation according to RFC 7009
+const RevokeRequestBody = Schema.Struct({
+  token: Schema.String, // The token to be revoked
+  token_type_hint: Schema.optional(
+    Schema.Union(Schema.Literal('access_token'), Schema.Literal('refresh_token')),
+  ), // Hint about token type (access_token or refresh_token)
+  client_id: Schema.optional(Schema.String), // OAuth 2.0 client identifier
+  client_secret: Schema.optional(Schema.String), // OAuth 2.0 client secret
+});
+
+// Simple success response
+const RevokeResponseBody = Schema.Struct({
+  status: Schema.Literal('success'), // Indicates successful token revocation
+});
+
+export { RevokePath, RevokeRequestBody, RevokeResponseBody };