feat(auth): add GET /auth/portal-sign-out/ for cross-app logout chain

[awais786]

Summary

Lets the foss-server-bundle portal's "Log out of all apps" button include Plane in the redirect chain. Existing POST /auth/sign-out/ is CSRF-protected, so the portal can't redirect into it cross-origin. This adds a GET variant that the portal can navigate the browser through.

The portal builds a nested chain like:

window.location =
  'https://pm.<domain>/auth/portal-sign-out/?next=' + encodeURIComponent(
    'https://docs.<domain>/auth/portal-logout?next=' + encodeURIComponent(
      'https://paint.<domain>/...?next=' + encodeURIComponent(
        '/oauth2/sign_out?rd=' + encodeURIComponent(
          'https://<cognito>/logout?client_id=...&logout_uri=<portal>'
        )
      )
    )
  );

Each app clears its own session cookie while the browser is on that app's domain (so Set-Cookie scope is correct), and the final hop lands at the portal.

Endpoint

GET /auth/portal-sign-out/?next=<absolute_url>

1. logout(request) — flushes the Django session
2. Validates next against the env-configured allowlist
3. 302 to next (or to MPASS_SIGNOUT_URL if next is omitted)

CSRF-exempt — the portal can't share a CSRF token cross-origin. Residual risk is force-logout (an attacker embeds <img src=".../portal-sign-out"> and the victim's session ends). Low impact: the only state lost is the session itself, and ForwardAuth re-auths on the next request.

New setting

# Comma-separated host suffixes. Each entry matches its exact host plus all
# subdomains. Empty list rejects any ?next= (the endpoint still flushes the
# session — it just won't redirect).
MPASS_SIGNOUT_NEXT_ALLOWED_HOSTS=foss.arbisoft.com,localhost

Suffix match enforces a dot boundary, so foss.arbisoft.com matches pm.foss.arbisoft.com but not foss.arbisoft.com.evil.example — closes the obvious open-redirect surface.

Test plan

• pytest apps/api/plane/tests/unit/views/test_portal_signout.py -v passes — covers:
  • Valid next= on allowlisted host → 302 + logout() called
  • No next= → falls back to MPASS_SIGNOUT_URL
  • No next= and no MPASS_SIGNOUT_URL → 302 to /
  • next= on disallowed host → 400
  • Suffix-match dot boundary (foss.arbisoft.com.evil rejected)
  • Subdomain (docs.foss.arbisoft.com) matches the suffix entry
  • Empty allowlist rejects all ?next=
  • Malformed ?next= (no hostname) → 400
  • Allowlist entry written as .foss.arbisoft.com (with leading dot) is normalised
• Manual: curl GET /auth/portal-sign-out/?next=https://docs.foss.arbisoft.com/auth/portal-logout with a Django session cookie — verify session cookie is cleared in the response and Location header is the next URL.
• Manual: same curl but with next=https://evil.example/x — verify 400.

Relation to other PRs

• fix: drop stale Django session when proxy identity changes #29 — server-side mismatch detection (ProxyAuthMiddleware). Recovery path: catches stale sessions on the next request when upstream identity differs. Already triggers automatically after the portal flow; this PR makes the cleanup synchronous instead of lazy.
• fix(signout): chain oauth2-proxy and Cognito logout after Django sign-out #30 — in-app sign-out button chains Django → oauth2-proxy → Cognito. Frontend-only; this PR is the backend counterpart for the portal-driven flow.

Open follow-up

Outline / Penpot / Twenty will each need an analogous endpoint in their own session technology to fully participate in the portal redirect chain. Those PRs are separate.

🤖 Generated with Claude Code

[awais786]

Closing — the portal-driven logout chain (where the portal redirects through each app's logout URL) was an alternative to middleware self-healing. Going with #29's middleware mismatch detection as the load-bearing fix; portal can keep doing what it already does (clear _oauth2_proxy + Cognito) and Plane self-corrects on the next request. Can revisit if synchronous cleanup becomes a hard requirement.