From 49865e66d66f24e394dc61f201a6021d844757f2 Mon Sep 17 00:00:00 2001
From: Guillermo Pages <mail@guillermo.at>
Date: Thu, 2 Oct 2025 23:19:51 +0200
Subject: [PATCH] fix: logout redirect loop
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Changed GET /auth/logout to redirect to rpFrontendUrl instead of /login
to prevent re-authentication loop. When user logged out, redirecting to
/login would immediately start new OIDC flow with still-valid SwissOID
session, causing auto-login.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 src/oidc/OIDCStandardRoutes.ts | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/oidc/OIDCStandardRoutes.ts b/src/oidc/OIDCStandardRoutes.ts
index b2ca1fa..40e3219 100644
--- a/src/oidc/OIDCStandardRoutes.ts
+++ b/src/oidc/OIDCStandardRoutes.ts
@@ -674,10 +674,10 @@ export function createOidcStandardRoutes(config: OidcStandardConfig): Router {
 
       res.clearCookie(sessionCookieName, getCookieOptions());
 
-      // For GET requests, redirect to login page
+      // For GET requests, redirect to frontend landing page to avoid re-login loop
       // For POST requests, return JSON
       if (req.method === 'GET') {
-        return res.redirect('/login');
+        return res.redirect(rpFrontendUrl);
       } else {
         return res.json({ success: true });
       }
@@ -685,7 +685,7 @@ export function createOidcStandardRoutes(config: OidcStandardConfig): Router {
     } catch (error) {
       logger.error('Error during logout', error);
       if (req.method === 'GET') {
-        return res.redirect('/login');
+        return res.redirect(rpFrontendUrl);
       } else {
         return res.status(500).json({ error: 'Logout failed' });
       }