feat: add option to disable 'Clear-Site-Data' header on logout (#1645)

src/lib/__snapshots__/create-config.test.ts.snap

@@ -89,6 +89,8 @@ Object {
     "unleashUrl": "http://localhost:4242",
   },
   "session": Object {
+    "clearSiteDataOnLogout": true,
+    "cookieName": "unleash-session",
     "db": true,
     "ttlHours": 48,
   },

src/lib/create-config.ts

@@ -91,6 +91,11 @@ const defaultDbOptions: IDBOption = {
 
 const defaultSessionOption: ISessionOption = {
     ttlHours: parseEnvVarNumber(process.env.SESSION_TTL_HOURS, 48),
+    clearSiteDataOnLogout: parseEnvVarBoolean(
+        process.env.SESSION_CLEAR_SITE_DATA_ON_LOGOUT,
+        true,
+    ),
+    cookieName: 'unleash-session',
     db: true,
 };
 

src/lib/middleware/session-db.ts

@@ -10,7 +10,7 @@ function sessionDb(
     knex: Knex,
 ): RequestHandler {
     let store;
-    const { db } = config.session;
+    const { db, cookieName } = config.session;
     const age =
         hoursToMilliseconds(config.session.ttlHours) || hoursToMilliseconds(48);
     const KnexSessionStore = knexSessionStore(session);
@@ -25,7 +25,7 @@ function sessionDb(
         store = new session.MemoryStore();
     }
     return session({
-        name: 'unleash-session',
+        name: cookieName,
         rolling: false,
         resave: false,
         saveUninitialized: false,

src/lib/routes/index.ts

@@ -5,13 +5,12 @@ import SimplePasswordProvider from './auth/simple-password-provider';
 import { IUnleashConfig } from '../types/option';
 import { IUnleashServices } from '../types/services';
 import { api } from './api-def';
+import LogoutController from './logout';
 
 const AdminApi = require('./admin-api');
 const ClientApi = require('./client-api');
 const Controller = require('./controller');
 const HealthCheckController = require('./health-check');
-const LogoutController = require('./logout');
-
 class IndexRouter extends Controller {
     constructor(config: IUnleashConfig, services: IUnleashServices) {
         super(config);

src/lib/routes/logout.test.ts

@@ -44,6 +44,59 @@ test('should set "Clear-Site-Data" header', async () => {
         .expect('Clear-Site-Data', '"cookies", "storage"');
 });
 
+test('should not set "Clear-Site-Data" header', async () => {
+    const baseUriPath = '';
+    const app = express();
+    const config = createTestConfig({
+        server: { baseUriPath },
+        session: { clearSiteDataOnLogout: false },
+    });
+    app.use('/logout', new LogoutController(config).router);
+    const request = supertest(app);
+    expect.assertions(1);
+    await request
+        .get(`${baseUriPath}/logout`)
+        .expect(302)
+        .expect((res) =>
+            expect(res.headers['Clear-Site-Data']).toBeUndefined(),
+        );
+});
+
+test('should clear "unleash-session" cookies', async () => {
+    const baseUriPath = '';
+    const app = express();
+    const config = createTestConfig({ server: { baseUriPath } });
+    app.use('/logout', new LogoutController(config).router);
+    const request = supertest(app);
+    expect.assertions(0);
+    await request
+        .get(`${baseUriPath}/logout`)
+        .expect(302)
+        .expect(
+            'Set-Cookie',
+            'unleash-session=; Path=/; Expires=Thu, 01 Jan 1970 00:00:00 GMT',
+        );
+});
+
+test('should clear "unleash-session" cookie even when disabled clear site data', async () => {
+    const baseUriPath = '';
+    const app = express();
+    const config = createTestConfig({
+        server: { baseUriPath },
+        session: { clearSiteDataOnLogout: false },
+    });
+    app.use('/logout', new LogoutController(config).router);
+    const request = supertest(app);
+    expect.assertions(0);
+    await request
+        .get(`${baseUriPath}/logout`)
+        .expect(302)
+        .expect(
+            'Set-Cookie',
+            'unleash-session=; Path=/; Expires=Thu, 01 Jan 1970 00:00:00 GMT',
+        );
+});
+
 test('should call destroy on session', async () => {
     const baseUriPath = '';
     const fakeSession = {

src/lib/routes/logout.ts

@@ -4,11 +4,17 @@ import Controller from './controller';
 import { IAuthRequest } from './unleash-types';
 
 class LogoutController extends Controller {
+    private clearSiteDataOnLogout: boolean;
+
+    private cookieName: string;
+
     private baseUri: string;
 
     constructor(config: IUnleashConfig) {
         super(config);
         this.baseUri = config.server.baseUriPath;
+        this.clearSiteDataOnLogout = config.session.clearSiteDataOnLogout;
+        this.cookieName = config.session.cookieName;
         this.get('/', this.logout);
     }
 
@@ -27,10 +33,14 @@ class LogoutController extends Controller {
             req.logout();
         }
 
-        res.set('Clear-Site-Data', '"cookies", "storage"');
+        res.clearCookie(this.cookieName);
+
+        if (this.clearSiteDataOnLogout) {
+            res.set('Clear-Site-Data', '"cookies", "storage"');
+        }
+
         res.redirect(`${this.baseUri}/`);
     }
 }
 
-module.exports = LogoutController;
 export default LogoutController;

src/lib/types/option.ts

@@ -37,6 +37,8 @@ export interface IDBOption {
 export interface ISessionOption {
     ttlHours: number;
     db: boolean;
+    clearSiteDataOnLogout: boolean;
+    cookieName: string;
 }
 
 export interface IVersionOption {