Conversation
Co-authored-by: contact <contact@ophir.dev>
|
Cursor Agent can help with this pull request. Just |
| redirect_uri: &str, | ||
| site_prefix: &str, | ||
| client_secret: &str, | ||
| user_id: Option<&str>, |
There was a problem hiding this comment.
@cursoragent the user id should be mandatory
| user_id: Option<&str>, | ||
| ) -> String { | ||
| let timestamp = chrono::Utc::now().timestamp(); | ||
| let signature = compute_logout_signature(redirect_uri, timestamp, client_secret); |
There was a problem hiding this comment.
@cursoragent the user id should be part of the signed message
There was a problem hiding this comment.
Good catch — right now the HMAC only covers redirect_uri and timestamp, so the user_id we append wouldn’t be protected. I’ll update compute_logout_signature (and verify_logout_params) to append the user_id bytes into the MAC input, make the query parameter required whenever we have a logged-in user, and adjust the tests accordingly so the entire logout URL (including the user id) is signed and validated.
Learn more about Cursor Agents
2 participants
Include the OIDC user ID in logout URLs for authenticated users and fall back to the redirect URL for anonymous users to provide a meaningful destination.