logout: make logout code more similar to upstream nextcloud server

haslersn · haslersn · commit 1d01d78b1637 · 2023-09-14T03:10:42.000+02:00
See https://github.com/nextcloud/server/blob/b085803c0bfe8c568e5710525e49d5f6378833b6/core/Controller/LoginController.php#L99 and following lines. Also note that setting `clearingExecutionContexts` is no longer required, because it had to do with the executionContexts feature which is no longer used by nextcloud since nextcloud/server#16310. Furthermore, with the behavior introduced in nextcloud/server#12573, setting `clearingExecutionContexts` breaks our logout redirects, because the middleware subsequently (after the logout redirect) returns another redirects to `/login?clear=1`.
diff --git a/lib/AppInfo/Application.php b/lib/AppInfo/Application.php
@@ -74,7 +74,7 @@ public function boot(IBootContext $context): void
         $altLoginPage = $this->config->getSystemValue('oidc_login_alt_login_page', false);
 
         // URL for login without redirecting forcefully, false if we are not doing that
-        $noRedirLoginUrl = $useLoginRedirect ? $this->url->linkToRouteAbsolute('core.login.showLoginForm').'?noredir=1' : false;
+        $noRedirLoginUrl = $useLoginRedirect ? $this->url->linkToRouteAbsolute('core.login.showLoginForm').'?noredir=1&clear=1' : false;
 
         // Get logged in user's session
         $userSession = $container->get(IUserSession::class);
@@ -93,17 +93,20 @@ public function boot(IBootContext $context): void
             /* Redirect to logout URL on completing logout
                If do not have logout URL, go to noredir on logout */
             if ($logoutUrl = $session->get('oidc_logout_url', $noRedirLoginUrl)) {
-                $userSession->listen('\OC\User', 'postLogout', function () use ($logoutUrl, $session) {
+                $userSession->listen('\OC\User', 'postLogout', function () use ($logoutUrl, $session, $request) {
                     // Do nothing if this is a CORS request
                     if ($this->getContainer()->get(ControllerMethodReflector::class)->hasAnnotation('CORS')) {
                         return;
                     }
 
                     // Properly close the session and clear the browsers storage data before
                     // redirecting to the logout url.
-                    $session->set('clearingExecutionContexts', '1');
                     $session->close();
-                    header('Clear-Site-Data: "cache", "storage"');
+
+                    if ($request->getServerProtocol() === 'https') {
+                        // This feature is available only in secure contexts
+                        header('Clear-Site-Data: "cache", "storage"');
+                    }
 
                     header('Location: '.$logoutUrl);
 
