From d4053f8e09479fab97f3d7cfd88c1bb1f9206501 Mon Sep 17 00:00:00 2001
From: Pascal Rigaux <Pascal.Rigaux@univ-paris1.fr>
Date: Mon, 9 Sep 2024 20:24:17 +0200
Subject: [PATCH] feat: handle logout + login in case user is logged with
 external IDP but we require the local IDP

---
 app/src/services/ws.ts      | 3 ++-
 server/steps/actions_pre.ts | 9 ++++++++-
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/app/src/services/ws.ts b/app/src/services/ws.ts
index e90ef524..66e3bc77 100644
--- a/app/src/services/ws.ts
+++ b/app/src/services/ws.ts
@@ -141,7 +141,8 @@ function _handleErr(err : AxiosError, $scope = null, redirect = false) {
         console.log("must relog", resp.headers.toString());
         restarting = true;
         const type = resp.data && resp.data.authenticate && resp.data.authenticate.type || $scope.$route.query.idp || 'local';
-        document.location.href = conf.base_pathname + 'login/' + type + '?then=' + encodeURIComponent($scope.$route.fullPath);
+        const location = conf.base_pathname + 'login/' + type + '?then=' + encodeURIComponent($scope.$route.fullPath);
+        document.location.href = resp.data?.authenticate?.need_relog_local ? `/Shibboleth.sso/Logout?return=${encodeURIComponent(location)}` : location
         return Promise.reject("logging...");
     } else if (resp.status === 401) {
         if (confirm("Votre session a expiré, vous allez devoir recommencer.")) {
diff --git a/server/steps/actions_pre.ts b/server/steps/actions_pre.ts
index bcdab9ac..ec575089 100644
--- a/server/steps/actions_pre.ts
+++ b/server/steps/actions_pre.ts
@@ -102,7 +102,14 @@ export const getShibAttrs: firstAction_pre = async (req, _sv) => {
 };
 
 export const getShibUserLdapAttrs: firstAction_pre = async (req, _sv) => {
-    if (!isShibUserInLdap(req)) throw `Unauthorized`;
+    if (!isShibUserInLdap(req)) {
+        if (req.user) {
+            console.log(`user is logged with external IDP ${req.header('Shib-Identity-Provider')} but we require the local IDP`)
+            throw { code: "Unauthorized", authenticate: { need_relog_local: true } }
+        } else {
+            throw `Unauthorized`
+        }
+    }
     let filter = search_ldap.currentUser_to_filter(req.user);
     let v: v = await oneExistingPerson(filter);
     return v;