fix: prevent multiple redirections to post logout url (#3366)

Closes #3342
ory · Dec 5, 2022 · 50666b9 · 50666b9
1 parent 2986605
commit 50666b9
Showing 1 changed file with 21 additions and 4 deletions.
diff --git a/oauth2/handler.go b/oauth2/handler.go
@@ -141,23 +141,40 @@ func (h *Handler) performOidcFrontOrBackChannelLogout(w http.ResponseWriter, r *
     var total = {{ len .FrontChannelLogoutURLs }};
     var redir = {{ .RedirectTo }};
 
+	var timeouts = [];
+	var redirected = false;
+	// Cancel all pending timeouts to avoid to call the frontchannel multiple times.
+	window.onbeforeunload = () => {
+		redirected = true;
+		for (var i=0; i<timeouts.length; i++) {
+			clearTimeout(timeouts[i]);
+		}
+		timeouts = [];
+	};
+	function setAndRegisterTimeout(fct, duration) {
+		if (redirected) {
+			return;
+		}
+		timeouts.push(setTimeout(fct, duration));
+	}
+
 	function redirect() {
 		window.location.replace(redir);
 
 		// In case replace failed try href
-		setTimeout(function () {
+		setAndRegisterTimeout(function () {
 			window.location.href = redir;
-		}, 250); // Show message after http-equiv="refresh"
+		}, 250);
 	}
 
     function done() {
         total--;
         if (total < 1) {
-			setTimeout(redirect, 500);
+			setAndRegisterTimeout(redirect, 500);
         }
     }
 
-	setTimeout(redirect, 7000); // redirect after 5 seconds if e.g. an iframe doesn't load
+	setAndRegisterTimeout(redirect, 7000); // redirect after 7 seconds if e.g. an iframe doesn't load
 
 	// If the redirect takes unusually long, show a message
 	setTimeout(function () {