From 81c7f434e6098f8858a917640771e08ee36c50c5 Mon Sep 17 00:00:00 2001
From: Codex <codex@nodedc.local>
Date: Tue, 5 May 2026 09:20:48 +0300
Subject: [PATCH] =?UTF-8?q?=D0=98=D0=A1=D0=9F=D0=A0=D0=90=D0=92=D0=9B?=
 =?UTF-8?q?=D0=95=D0=9D=D0=98=D0=95=20-=20NODEDC=20AUTH:=20=D0=B2=D0=B5?=
 =?UTF-8?q?=D1=80=D0=BD=D1=83=D1=82=D1=8C=20=D0=BF=D0=BE=D1=81=D0=BB=D0=B5?=
 =?UTF-8?q?=20logout-flow?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../custom-templates/base/header_js.html      | 61 +++++++++++++++++++
 1 file changed, 61 insertions(+)

diff --git a/infra/authentik/custom-templates/base/header_js.html b/infra/authentik/custom-templates/base/header_js.html
index 0dd9259..f34e333 100644
--- a/infra/authentik/custom-templates/base/header_js.html
+++ b/infra/authentik/custom-templates/base/header_js.html
@@ -262,6 +262,66 @@
             }
         }
 
+        function isOidcLogoutFlow() {
+            const path = window.location.pathname;
+            const params = new URLSearchParams(window.location.search);
+
+            return (
+                path.includes("/end-session/") ||
+                path.includes("/if/flow/default-invalidation-flow") ||
+                params.has("post_logout_redirect_uri")
+            );
+        }
+
+        function getSafePostLogoutRedirect() {
+            const rawUrl = new URLSearchParams(window.location.search).get("post_logout_redirect_uri");
+            if (!rawUrl) return null;
+
+            try {
+                const url = new URL(rawUrl);
+                const allowedHosts = new Set([
+                    "launcher.local.nodedc",
+                    "launcher.local.notdc",
+                    "launcher.notdc.ru",
+                    "platform.notdc.ru",
+                    "notdc.ru",
+                ]);
+
+                if (!["http:", "https:"].includes(url.protocol)) return null;
+                if (!allowedHosts.has(url.hostname)) return null;
+                if (!url.pathname.startsWith("/auth/logged-out")) return null;
+
+                return url.toString();
+            } catch {
+                return null;
+            }
+        }
+
+        function redirectCompletedLogout(root) {
+            if (!isOidcLogoutFlow() || document.body?.dataset.nodedcLogoutRedirected === "true") return;
+
+            const redirectUrl = getSafePostLogoutRedirect();
+            if (!redirectUrl) return;
+
+            const text = root.textContent || "";
+            const logoutComplete = [
+                "Logout successful",
+                "You've logged out",
+                "You have been logged out",
+                "Logged out",
+                "Вы вышли",
+                "Выход выполнен",
+            ].some((message) => text.includes(message));
+
+            if (!logoutComplete) return;
+
+            document.body.dataset.nodedcLogoutRedirected = "true";
+            document.body.classList.add("nodedc-auth-submitting");
+            window.setTimeout(() => {
+                window.location.replace(redirectUrl);
+            }, 150);
+        }
+
         let scheduled = false;
 
         function enhanceAuthFields() {
@@ -273,6 +333,7 @@
                 enhanceSubmitHandoff(root);
                 translateAuthText(root);
                 restoreCardOnErrors(root);
+                redirectCompletedLogout(root);
             });
         }