Skip to content

feat: return to current page after logout#411

Open
alukach wants to merge 2 commits into
mainfrom
worktree-logout-return-to
Open

feat: return to current page after logout#411
alukach wants to merge 2 commits into
mainfrom
worktree-logout-return-to

Conversation

@alukach

@alukach alukach commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

What

The Logout button in AccountDropdown hit Ory's browser logout flow without a return_to param, so after logout Ory redirected users to its server-configured default (the app root). This passes the current page URL as return_to so users land back on the page they were on.

This mirrors the existing login flow, which already passes the full current URL via return_to (loginUrl / getReturnToUrl), so the mechanism is proven.

Change

const logoutFlow = new URL(CONFIG.auth.routes.logout);
logoutFlow.searchParams.set("return_to", window.location.href);

One line, client-side (window.location.href), in src/components/layout/AccountDropdown.tsx.

Notes / caveats

  • Ory allow-list: Ory only honors return_to values in selfservice.allowed_return_urls. Login already returns to full same-origin URLs, so same-origin paths are almost certainly already allowed — that config lives outside this repo, worth a confirm.
  • Auth-gated pages: returning to a protected page right after logout will just bounce to login. Left as-is for now (usual behavior); can add a skip-list if desired.
  • Pre-existing: the dropdown button bypasses the separate /logout route, which also clears the sc_proxy_creds cookie. Not addressed here — this PR is scoped to the redirect. Consolidating the two logout paths could be a follow-up.

🤖 Generated with Claude Code

The Logout button hit Ory's logout flow without a `return_to`, so users
landed on Ory's configured default (the app root). Pass the current page
URL as `return_to` — mirroring the existing login flow — so logout returns
users to where they were.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@vercel

vercel Bot commented Jul 2, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
source-cooperative Ready Ready Preview, Comment Jul 2, 2026 5:57am

Request Review

@claude

claude Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Claude finished @alukach's task in 1m 31s —— View job


Review

  • Gather context (PR description, diff, changed file)
  • Review diff for correctness/security/best-practice issues
  • Post findings

✅ No blocking issues — safe to merge.

  • src/components/layout/AccountDropdown.tsx:39new URL(CONFIG.auth.routes.logout, window.location.origin) correctly resolves the relative dev-only route (frontendUrl is "" locally) while the explicit base is ignored when CONFIG.auth.routes.logout is already absolute in prod, per the URL spec. This fixes the TypeError from the prior commit and matches the existing loginUrl/getReturnToUrl pattern already used for login.
  • src/components/layout/AccountDropdown.tsx:40return_to is set from window.location.href, which is the browser's own current location rather than attacker-controllable input, so this isn't an open-redirect vector. As the PR description already notes, Ory only honors return_to values on its selfservice.allowed_return_urls allow-list (config outside this repo) — worth a quick confirm there, but not blocking since login already relies on the same allow-list for full-URL same-origin returns.
  • Pre-existing (not introduced by this PR, already called out in the description): the dropdown's handleLogout bypasses src/app/(app)/logout/route.tsx, so the sc_proxy_creds cookie isn't cleared on this path. No change needed here — reasonable to scope that as a follow-up.

new URL(CONFIG.auth.routes.logout) threw a TypeError in dev, where
NEXT_PUBLIC_ORY_UI_URL is empty and the route is the same-origin
relative path /self-service/logout/browser. The throw killed
handleLogout, so the logout button did nothing. Pass
window.location.origin as the base: it resolves the relative dev route
and is ignored when the route is already absolute (prod).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant