9447f1684a
Entra registered the URIs with trailing slashes (https://optical-{dev,prod}.oliver.solutions/hm-aiqc/), but the JS was producing the URI without a trailing slash because Flask's request.script_root strips it (X-Script-Name: /hm-aiqc). Result was AADSTS50011 'Reply address did not match' on every sign-in attempt. Now always normalise to exactly one trailing slash, matching what's registered in Entra.
54 lines
1.8 KiB
JavaScript
54 lines
1.8 KiB
JavaScript
/**
|
|
* Logout handler — clears server cookie and MSAL session, then redirects.
|
|
*
|
|
* MSAL.js is loaded by base.html so the popup can also sign the user out
|
|
* of Microsoft for this app — otherwise sessionStorage would silently
|
|
* re-authenticate on the next page load.
|
|
*/
|
|
(function () {
|
|
const logoutBtn = document.getElementById('logoutBtn');
|
|
if (!logoutBtn) return;
|
|
|
|
// Match the redirect URI registered in Entra (always one trailing slash).
|
|
const redirectUri =
|
|
window.location.origin +
|
|
(window.BASE_URL || '').replace(/\/$/, '') + '/';
|
|
|
|
let msalApp = null;
|
|
try {
|
|
if (typeof msal !== 'undefined' && window.AZURE_TENANT_ID && window.AZURE_CLIENT_ID) {
|
|
msalApp = new msal.PublicClientApplication({
|
|
auth: {
|
|
clientId: window.AZURE_CLIENT_ID,
|
|
authority: 'https://login.microsoftonline.com/' + window.AZURE_TENANT_ID,
|
|
redirectUri: redirectUri
|
|
},
|
|
cache: {
|
|
cacheLocation: 'sessionStorage',
|
|
storeAuthStateInCookie: true
|
|
}
|
|
});
|
|
}
|
|
} catch (e) {
|
|
console.warn('MSAL init failed in auth.js:', e);
|
|
}
|
|
|
|
logoutBtn.addEventListener('click', async () => {
|
|
try {
|
|
await fetch(window.BASE_URL + '/auth/logout', {
|
|
method: 'POST',
|
|
credentials: 'include'
|
|
});
|
|
} catch (e) { /* ignore */ }
|
|
|
|
if (msalApp) {
|
|
try {
|
|
await msalApp.logoutPopup({
|
|
postLogoutRedirectUri: redirectUri
|
|
});
|
|
} catch (e) { /* ignore */ }
|
|
}
|
|
|
|
window.location.href = window.BASE_URL + '/auth/login-page';
|
|
});
|
|
})();
|