From a61ac8de0cf9c777d4af0535540007d69dc27c40 Mon Sep 17 00:00:00 2001
From: Lars Gebhardt-Kusche <lars@kusche.berlin>
Date: Wed, 4 Mar 2026 02:02:34 +0100
Subject: [PATCH] auth

---
 config/prod/settings.php    |  1 +
 config/staging/settings.php |  1 +
 src/App/Config.php          |  2 ++
 src/App/OidcClient.php      |  4 +++-
 src/App/functions.php       | 37 +++++++++++++++++++++++++++++++++----
 5 files changed, 40 insertions(+), 5 deletions(-)

diff --git a/config/prod/settings.php b/config/prod/settings.php
index b418d17..b891fe4 100755
--- a/config/prod/settings.php
+++ b/config/prod/settings.php
@@ -19,6 +19,7 @@
     define('APP_OIDC_CLIENT_ID', 'nexus');
     define('APP_OIDC_CLIENT_SECRET', 'c0swC5wjBV4yimJHf2p3R9OjHOr7rhHs');
     define('APP_OIDC_REDIRECT_URI', 'https://nexus.int.kusche.berlin/auth/callback');
+    define('APP_OIDC_POST_LOGOUT_REDIRECT_URI', 'https://nexus.int.kusche.berlin/');
     define('APP_OIDC_GROUP_CLAIM', 'groups');
     define('APP_OIDC_ADMIN_GROUP', 'admin');
     define('APP_OIDC_USER_GROUP', 'family');
diff --git a/config/staging/settings.php b/config/staging/settings.php
index 459de1f..700ab20 100755
--- a/config/staging/settings.php
+++ b/config/staging/settings.php
@@ -19,6 +19,7 @@
     define('APP_OIDC_CLIENT_ID', 'nexus');
     define('APP_OIDC_CLIENT_SECRET', 'c0swC5wjBV4yimJHf2p3R9OjHOr7rhHs');
     define('APP_OIDC_REDIRECT_URI', 'https://staging.nexus.int.kusche.berlin/auth/callback');
+    define('APP_OIDC_POST_LOGOUT_REDIRECT_URI', 'https://staging.nexus.int.kusche.berlin/');
     define('APP_OIDC_GROUP_CLAIM', 'groups');
     define('APP_OIDC_ADMIN_GROUP', 'admin');
     define('APP_OIDC_USER_GROUP', 'family');
diff --git a/src/App/Config.php b/src/App/Config.php
index 0a27760..5e14784 100755
--- a/src/App/Config.php
+++ b/src/App/Config.php
@@ -21,6 +21,7 @@ class Config
     public string $oidcTokenEndpoint;
     public string $oidcUserinfoEndpoint;
     public string $oidcLogoutEndpoint;
+    public string $oidcPostLogoutRedirectUri;
     public string $oidcGroupClaim;
     public string $oidcAdminGroup;
     public string $oidcUserGroup;
@@ -47,6 +48,7 @@ class Config
         $this->oidcTokenEndpoint = defined('APP_OIDC_TOKEN_ENDPOINT') ? (string)APP_OIDC_TOKEN_ENDPOINT : '';
         $this->oidcUserinfoEndpoint = defined('APP_OIDC_USERINFO_ENDPOINT') ? (string)APP_OIDC_USERINFO_ENDPOINT : '';
         $this->oidcLogoutEndpoint = defined('APP_OIDC_LOGOUT_ENDPOINT') ? (string)APP_OIDC_LOGOUT_ENDPOINT : '';
+        $this->oidcPostLogoutRedirectUri = defined('APP_OIDC_POST_LOGOUT_REDIRECT_URI') ? (string)APP_OIDC_POST_LOGOUT_REDIRECT_URI : '';
         $this->oidcGroupClaim = defined('APP_OIDC_GROUP_CLAIM') ? (string)APP_OIDC_GROUP_CLAIM : 'groups';
         $this->oidcAdminGroup = defined('APP_OIDC_ADMIN_GROUP') ? (string)APP_OIDC_ADMIN_GROUP : 'admin';
         $this->oidcUserGroup = defined('APP_OIDC_USER_GROUP') ? (string)APP_OIDC_USER_GROUP : 'user';
diff --git a/src/App/OidcClient.php b/src/App/OidcClient.php
index 31e7c4a..716d9a9 100644
--- a/src/App/OidcClient.php
+++ b/src/App/OidcClient.php
@@ -123,7 +123,9 @@ final class OidcClient
             return null;
         }
         $params = [
-            'post_logout_redirect_uri' => $this->config->oidcRedirectUri ? dirname($this->config->oidcRedirectUri) : '/',
+            'post_logout_redirect_uri' => $this->config->oidcPostLogoutRedirectUri !== ''
+                ? $this->config->oidcPostLogoutRedirectUri
+                : ($this->config->oidcRedirectUri ? dirname($this->config->oidcRedirectUri) : '/'),
         ];
         if ($idToken) {
             $params['id_token_hint'] = $idToken;
diff --git a/src/App/functions.php b/src/App/functions.php
index 822688e..f45009e 100644
--- a/src/App/functions.php
+++ b/src/App/functions.php
@@ -80,21 +80,50 @@ function auth_groups(): array
     return is_array($user['groups'] ?? null) ? $user['groups'] : [];
 }
 
+function parse_group_list(string $value): array
+{
+    $parts = preg_split('/[,\s]+/', $value) ?: [];
+    $out = [];
+    foreach ($parts as $p) {
+        $p = trim($p);
+        if ($p !== '') {
+            $out[] = $p;
+        }
+    }
+    return $out;
+}
+
 function auth_is_admin(): bool
 {
     $config = app()->config();
     $groups = auth_groups();
-    return in_array($config->oidcAdminGroup, $groups, true);
+    $allowed = parse_group_list($config->oidcAdminGroup);
+    foreach ($allowed as $g) {
+        if (in_array($g, $groups, true)) {
+            return true;
+        }
+    }
+    return false;
 }
 
 function auth_is_user(): bool
 {
     $config = app()->config();
     $groups = auth_groups();
-    if (in_array($config->oidcAdminGroup, $groups, true)) {
-        return true;
+    $admins = parse_group_list($config->oidcAdminGroup);
+    foreach ($admins as $g) {
+        if (in_array($g, $groups, true)) {
+            return true;
+        }
     }
-    return in_array($config->oidcUserGroup, $groups, true);
+
+    $users = parse_group_list($config->oidcUserGroup);
+    foreach ($users as $g) {
+        if (in_array($g, $groups, true)) {
+            return true;
+        }
+    }
+    return false;
 }
 
 function require_auth(): void