Expire cookie that was set as part of token endpoint during logout (u…

…nitycatalog#678) **PR Checklist** - [x] A description of the changes is added to the description of this PR. - [ ] If there is a related issue, make sure it is linked to this PR. - [ ] If you've fixed a bug or added code that should be tested, add tests! - [ ] If you've added or modified a feature, documentation in `docs` is updated **Description of changes** This change is to expire cookie during logout by exposing logout endpoint , feature that was added as part of unitycatalog#542 and implemented as part of PR unitycatalog#593 --------- Signed-off-by: sudharshanraja-db <[email protected]> Co-authored-by: Denny Lee <[email protected]> Co-authored-by: Jamie Knight <[email protected]>
sf-bigdata · Nov 14, 2024 · 11bff8c · 11bff8c
1 parent 6623469
commit 11bff8c
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 6 deletions.
diff --git a/server/src/main/java/io/unitycatalog/server/service/AuthDecorator.java b/server/src/main/java/io/unitycatalog/server/service/AuthDecorator.java
@@ -60,8 +60,8 @@ public HttpResponse serve(HttpService delegate, ServiceRequestContext ctx, HttpR
     String authorizationHeader = req.headers().get(HttpHeaderNames.AUTHORIZATION);
     String authorizationCookie =
         req.headers().cookies().stream()
-            .map(Cookie::name)
-            .filter(name -> name.equals(UC_TOKEN_KEY))
+            .filter(c -> c.name().equals(UC_TOKEN_KEY))
+            .map(Cookie::value)
             .findFirst()
             .orElse(null);
 

diff --git a/server/src/main/java/io/unitycatalog/server/service/AuthService.java b/server/src/main/java/io/unitycatalog/server/service/AuthService.java
@@ -167,17 +167,30 @@ public HttpResponse grantToken(
             String cookieTimeout =
                 ServerProperties.getInstance().getProperty("server.cookie-timeout", "P5D");
             Cookie cookie =
-                Cookie.secureBuilder(AuthDecorator.UC_TOKEN_KEY, accessToken)
-                    .path("/")
-                    .maxAge(Duration.parse(cookieTimeout).getSeconds())
-                    .build();
+                createCookie(AuthDecorator.UC_TOKEN_KEY, accessToken, "/", cookieTimeout);
             responseHeaders.add(HttpHeaderNames.SET_COOKIE, cookie.toSetCookieHeader());
           }
         });
 
     return HttpResponse.ofJson(responseHeaders.build(), response);
   }
 
+  @Post("/logout")
+  public HttpResponse logout(HttpRequest request) {
+    return request.headers().cookies().stream()
+        .filter(c -> c.name().equals(AuthDecorator.UC_TOKEN_KEY))
+        .findFirst()
+        .map(
+            authorizationCookie -> {
+              Cookie expiredCookie = createCookie(AuthDecorator.UC_TOKEN_KEY, "", "/", "PT0S");
+              ResponseHeaders headers =
+                  ResponseHeaders.of(
+                      HttpStatus.OK, HttpHeaderNames.SET_COOKIE, expiredCookie.toSetCookieHeader());
+              return HttpResponse.of(headers);
+            })
+        .orElse(HttpResponse.of(HttpStatus.OK));
+  }
+
   private static void verifyPrincipal(DecodedJWT decodedJWT) {
     String subject =
         decodedJWT.getClaim(JwtClaim.EMAIL.key()).isMissing()
@@ -201,6 +214,13 @@ private static void verifyPrincipal(DecodedJWT decodedJWT) {
         ErrorCode.INVALID_ARGUMENT, "User not allowed: " + subject);
   }
 
+  private Cookie createCookie(String key, String value, String path, String maxAge) {
+    return Cookie.secureBuilder(key, value)
+        .path(path)
+        .maxAge(Duration.parse(maxAge).getSeconds())
+        .build();
+  }
+
   // TODO: This should be probably integrated into the OpenAPI spec.
   @ToString
   static class OAuthTokenExchangeRequest {