⚠️🚨⚠️ Project/labels may still need to be added ⚠️🚨⚠️

Summary

• Shawn Lee-Kwong from customer accounts raised an issue regarding the usage of post_logout_redirect_uri option in the logout settings by a merchant. The team discussed if the client logout in Hydrogen has any specific logic that utilizes this option or if there is an option for developers to input that information.
• Michelle Chen confirmed that the logout method doesn't take any option for post logout redirect, though the documentation promotes the Logout URI setting to be the site origin as a default.
• Shawn clarified that the post_logout_redirect_uri will be validated against the Logout URI setting and if it doesn't match, it will default to the first it finds in the list. The default can be empty and not pass in that param, doing what it does now. If there is nothing in the logout uri setting, it defaults to the shop's domain url.
• Bret Little pointed out potential risks if a headless site doesn't configure a logout redirect url, doesn't pass a redirect url to the logout method, and doesn't have a redirect from the shopify domain to the headless domain. In such a case, a user would end up on the shopify domain, which could be problematic.
• Shawn explained that this level of checking is necessary as part of the oauth flow to prevent potential hijacking of a logout and redirection to an attacker site.

This summary was generated using OpenAI's gpt-4 with a temperature of 0.5.

🧵 Slack Thread

User		Message
	Shawn Lee-Kwong 2024‑03‑01 14:14	Hey all, 👋 from new customer accounts, we were helping a merchant with their logout settings and realized they were not using post_logout_redirect_uri option to help make sure the customer redirected to the correct place after logging out. This made us take a look at the client you guys made for hydrogen, we were wondering if the client logout has an specific logic to logout that utilitizes the post_logout_redirect_uri or if there was an option for a developer to input that information
	Kara Daviduik 2024‑03‑01 14:24	cc @lynchv
	Michelle Chen 2024‑03‑01 14:39	right, so the logout method doesn’t take any option for post logout redirect. In the doc we do promote the Logout URI setting to be the site origin so there is always a default. Just to better understand the ideal flow for merchant using post_logout_redirect_uri . Is there any restriction on this uri? ie. it need to be listed as part of the Logout URI setting?
	Michelle Chen 2024‑03‑01 14:40	I am 👍 for adding an option for post logout redirect. Just wondering what I should make the default as.
	Shawn Lee-Kwong 2024‑03‑01 14:44	Just to better understand the ideal flow for merchant using <code>post_logout_redirect_uri</code> . Is there any restriction on this uri? ie. it need to be listed as part of the Logout URI setting? Yes, what is passed into post_logout_redirect_uri will be validated against the Logout URI setting, if it doesn’t match, it will default to the first it finds in the list (logout uri setting)
	Shawn Lee-Kwong 2024‑03‑01 14:50	I am 👍 for adding an option for post logout redirect. Just wondering what I should make the default as. The default can be empty and not pass in that param, it will do what it does now. I think that is the only good default since we can’t guarantee a merchant / dev putting anything in the list of logout uri’s. If there is nothing in the logout uri setting, it defaults to the shops domain url
	Bret Little 2024‑03‑01 15:36	@s-lee-kwong is the shops domain url the myshopify.com domain?
	Bret Little 2024‑03‑01 15:37	That's probably fine even if it's that. I think we still recommend devs add a redirect script to their liquid site for headless. cc @benjaminsehl
	Shawn Lee-Kwong 2024‑03‑01 15:42	ya it would be Bret
	Bret Little 2024‑03‑01 15:44	So that's the only risk: A headless site doesn't configure a logout redirect url Doesn't pass a redirect url to the logout method (assuming we add it to hydrogen) They don't have a redirect from myshopify.com to the headless domain If all of those scenarios are true, a user would end up on myshopify.com, which would likely be bad. But if this happens, they probably already have issues where merchants end up on the myshopify.com domain without a redirect.
	Shawn Lee-Kwong 2024‑03‑01 15:45	so if 1. happens, 2. couldn’t happen since 2. would check against 1. and then you end up with the outcome as well
	Bret Little 2024‑03‑01 15:47	Is that level of checking necessary? Why not just verify the logout uri is on the same authorized domain?
	Shawn Lee-Kwong 2024‑03‑01 15:49	it’s part of the oauth flow, we don’t want someone to hijack a logout and redirect them to an attacker site. Same concept as the redirect_uri, albeit logout redirect is probably less dangerous
	Shawn Lee-Kwong 2024‑03‑01 15:50	though I get your point about the authorized domain, Identity actually doesn’t know anything about the authorized domain other than the redirect uri but it doesn’t store that info in the tokens or anything like that

Michelle Chen archived this conversation from hydrogen-oxygen at 2024‑03‑01 21:31.
All times are in UTC.