feat(ui): signed-out splash + prompt=login on OIDC redirect

Two defensive layers complementing the RP-Initiated Logout in 82e25933: 1. cameleer:signed_out sessionStorage flag (set in auth-store.logout, read+cleared in LoginPage on mount) renders a 'You have been signed out successfully' card with an explicit 'Sign in again' button. Mirrors the cameleer-saas pattern. 2. prompt=login on the OIDC authorization redirect forces the IdP to re-prompt for credentials even if its session cookie somehow survived RP-Initiated Logout (proxy, race, misconfigured post_logout_redirect_uri). OIDC Core 1.0 §3.1.2.1. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-27 11:59:04 +02:00
parent 82e2593332
commit 32c8786d06
1 changed files with 37 additions and 2 deletions
--- a/ui/src/auth/LoginPage.tsx
+++ b/ui/src/auth/LoginPage.tsx
@@ -47,11 +47,43 @@ export function LoginPage() {
  const [password, setPassword] = useState('');
  const [oidcLoading, setOidcLoading] = useState(false);

+  // Mirrors cameleer-saas: when logout sets this flag, render a "Signed out"
+  // confirmation instead of the regular form. The flag is one-shot — read +
+  // cleared on mount.
+  const [signedOut] = useState(() => {
+    const flag = sessionStorage.getItem('cameleer:signed_out');
+    if (flag) sessionStorage.removeItem('cameleer:signed_out');
+    return !!flag;
+  });
+
  const { data: caps, isError: capsFailed, isLoading: capsLoading } = useAuthCapabilities();

  if (isAuthenticated) return <Navigate to="/" replace />;
  if (capsLoading) return null;

+  if (signedOut) {
+    return (
+      <div className={styles.page}>
+        <Card className={styles.card}>
+          <div className={styles.loginForm}>
+            <div className={styles.logo}>
+              <img src={brandLogo} alt="" className={styles.logoImg} />
+              cameleer
+            </div>
+            <p className={styles.subtitle}>You have been signed out successfully.</p>
+            <Button
+              variant="primary"
+              onClick={() => { window.location.replace(`${config.basePath}login`); }}
+              className={styles.submitButton}
+            >
+              Sign in again
+            </Button>
+          </div>
+        </Card>
+      </div>
+    );
+  }
+
  const oidcPrimary = caps?.oidc?.primary === true;
  const adminRecoveryOnly = caps?.localAccounts?.adminRecoveryOnly === true;
  const providerName = caps?.oidc?.providerName || 'Single Sign-On';
@@ -87,10 +119,13 @@ export function LoginPage() {
        client_id: data.clientId,
        redirect_uri: redirectUri,
        scope: scopes.join(' '),
+        // Defence-in-depth: even if RP-Initiated Logout did not fully clear
+        // the IdP session (proxy/cookie edge cases), prompt=login forces the
+        // IdP to re-prompt for credentials instead of silent re-auth.
+        // OIDC Core 1.0 §3.1.2.1.
+        prompt: 'login',
      });
      if (data.resource) params.set('resource', data.resource);
-      // Note: NO prompt=none. Per RFC 9700 §4.4, that's silent re-auth only;
-      // for first-time login it returns login_required and traps users on a local form.
      window.location.href = `${data.authorizationEndpoint}?${params}`;
    } catch {
      useAuthStore.setState({ error: 'OIDC configuration unavailable. Try the local form via /login?local.' });