Visiting /auth/logout does not log the user out of CAS

[robere2]

Describe the bug According to the CAS protocol, if you don't specifically redirect the user to /logout, their session will remain active on RPI CAS. This means once they're redirected to a /login page again, they'll immediately be signed in without a password, assuming they did not check the box "Warn me before logging me into other sites." (unchecked by default). If they did check this box, they will still be able to access the account without a password by clicking a button.

This is a security issue as it means anyone (especially those on public computers) can click "Log out" however their session actually remains active. If they or someone else were to try to log in again (within a certain period of time, not sure how long), they would get access to the account without entering an email and password.

You can test and replicate this by opening the website in Incognito, log in, log out, and log back in. You should not have to enter your password. If you go to another website that uses CAS, you should not have to log in there either.

The fix for this should be pretty simple: Change this line to redirect the user to https://cas-auth.rpi.edu/cas/logout?service=http%3A%2F%2Flate.work https://github.com/Apexal/late/blob/b9c9b99935e2e04b4b9e8a5c4c8fa2384c772f9f/server/auth/index.js#L33 Unfortunately, the downside is CAS does not currently redirect back based on the service, despite having CAS 3.0 support, which supposedly requires it. You could attempt to contact DOTCIO to resolve this.

I've flagged this as high priority since it is security related, but please change it if you disagree.

[Apexal]

Great catch, the cas module had something to handle this but didn't with with Koa unfortunately so I dropped it. I totally didn't think of those security implications, that certainly is a problem! I'll fix it immediately.