ИСПРАВЛЕНИЕ - NODEDC TASK: жестко очищать сессию при logout

2026-05-05 09:58:23 +03:00 · 2026-05-05 09:58:23 +03:00 · ed18a07154
parent f02865512f
commit ed18a07154
3 changed files with 51 additions and 10 deletions
--- a/plane-src/apps/api/plane/authentication/views/app/signout.py
+++ b/plane-src/apps/api/plane/authentication/views/app/signout.py
@ -8,13 +8,16 @@ from django.http import HttpResponseRedirect

 # Module imports
 from plane.authentication.utils.host import base_host
-from plane.authentication.views.nodedc_logout import get_logout_redirect_url, logout_current_user
+from plane.authentication.views.nodedc_logout import clear_nodedc_auth_cookies, get_logout_redirect_url, logout_current_user


 class SignOutAuthEndpoint(View):
    def post(self, request):
+        redirect_url = get_logout_redirect_url(base_host(request=request, is_app=True))
        try:
            logout_current_user(request)
-            return HttpResponseRedirect(get_logout_redirect_url(base_host(request=request, is_app=True)))
        except Exception:
-            return HttpResponseRedirect(get_logout_redirect_url(base_host(request=request, is_app=True)))
+            pass
+
+        response = HttpResponseRedirect(redirect_url)
+        return clear_nodedc_auth_cookies(response, request)
--- a/plane-src/apps/api/plane/authentication/views/nodedc_logout.py
+++ b/plane-src/apps/api/plane/authentication/views/nodedc_logout.py
@ -1,6 +1,7 @@
 import os

 from django.contrib.auth import logout
+from django.conf import settings
 from django.http import HttpResponse, HttpResponseRedirect
 from django.utils import timezone
 from django.views import View
@ -31,14 +32,49 @@ def logout_current_user(request):
    logout(request)


+def clear_nodedc_auth_cookies(response, request=None):
+    cookie_names = (
+        getattr(settings, "SESSION_COOKIE_NAME", "session-id"),
+        getattr(settings, "CSRF_COOKIE_NAME", "csrftoken"),
+        getattr(settings, "ADMIN_SESSION_COOKIE_NAME", "admin-session-id"),
+        "sessionid",
+        "session-id",
+        "csrftoken",
+    )
+    domain = getattr(settings, "SESSION_COOKIE_DOMAIN", None) or getattr(settings, "CSRF_COOKIE_DOMAIN", None)
+
+    if request is not None:
+        host = request.get_host().split(":", 1)[0].lower()
+        for suffix in (".local.nodedc", ".local.notdc", ".notdc.ru", ".nodedc.ru"):
+            if host.endswith(suffix):
+                domain = domain or suffix
+                break
+
+    for cookie_name in filter(None, cookie_names):
+        response.delete_cookie(cookie_name, path="/")
+
+    if domain:
+        session_cookie_name = getattr(settings, "SESSION_COOKIE_NAME", "session-id")
+        response["Set-Cookie"] = (
+            f'{session_cookie_name}=""; Domain={domain}; expires=Thu, 01 Jan 1970 00:00:00 GMT; Max-Age=0; Path=/'
+        )
+
+    response["Cache-Control"] = "no-store, no-cache, must-revalidate, max-age=0"
+    response["Clear-Site-Data"] = '"cookies", "storage"'
+    response["Pragma"] = "no-cache"
+    return response
+
+
 class NodeDCFrontChannelLogoutEndpoint(View):
    def get(self, request):
        logout_current_user(request)
-        return HttpResponse(
+        response = HttpResponse(
            "<!doctype html><html><head><meta charset='utf-8'></head><body>NODE.DC Task session closed.</body></html>",
            content_type="text/html",
        )
+        return clear_nodedc_auth_cookies(response, request)

    def post(self, request):
        logout_current_user(request)
-        return HttpResponseRedirect(get_logout_redirect_url("/"))
+        response = HttpResponseRedirect(get_logout_redirect_url("/"))
+        return clear_nodedc_auth_cookies(response, request)
--- a/plane-src/apps/api/plane/authentication/views/space/signout.py
+++ b/plane-src/apps/api/plane/authentication/views/space/signout.py
@ -8,18 +8,20 @@ from django.http import HttpResponseRedirect

 # Module imports
 from plane.authentication.utils.host import base_host
-from plane.authentication.views.nodedc_logout import get_logout_redirect_url, logout_current_user
+from plane.authentication.views.nodedc_logout import clear_nodedc_auth_cookies, get_logout_redirect_url, logout_current_user
 from plane.utils.path_validator import get_safe_redirect_url


 class SignOutAuthSpaceEndpoint(View):
    def post(self, request):
        next_path = request.POST.get("next_path")
+        url = get_safe_redirect_url(base_url=base_host(request=request, is_space=True), next_path=next_path)
+        redirect_url = get_logout_redirect_url(url)

        try:
            logout_current_user(request)
-            url = get_safe_redirect_url(base_url=base_host(request=request, is_space=True), next_path=next_path)
-            return HttpResponseRedirect(get_logout_redirect_url(url))
        except Exception:
-            url = get_safe_redirect_url(base_url=base_host(request=request, is_space=True), next_path=next_path)
-            return HttpResponseRedirect(get_logout_redirect_url(url))
+            pass
+
+        response = HttpResponseRedirect(redirect_url)
+        return clear_nodedc_auth_cookies(response, request)