From d7a5097527750989b5f9bfa1685d1c196e934010 Mon Sep 17 00:00:00 2001
From: Firstyear <william@blackhats.net.au>
Date: Mon, 15 Jul 2024 17:11:00 +1000
Subject: [PATCH] htmx logout tidy up (#2884)

---
 libs/client/src/lib.rs                | 15 +++++++++++----
 server/testkit/tests/proto_v1_test.rs |  7 +++++++
 2 files changed, 18 insertions(+), 4 deletions(-)

diff --git a/libs/client/src/lib.rs b/libs/client/src/lib.rs
index c2a40f71d..9452b90b2 100644
--- a/libs/client/src/lib.rs
+++ b/libs/client/src/lib.rs
@@ -59,6 +59,7 @@ const EXPECT_VERSION: &str = env!("CARGO_PKG_VERSION");
 #[derive(Debug)]
 pub enum ClientError {
     Unauthorized,
+    SessionExpired,
     Http(reqwest::StatusCode, Option<OperationError>, String),
     Transport(reqwest::Error),
     AuthenticationFailed,
@@ -633,10 +634,16 @@ impl KanidmClient {
     }
 
     pub async fn logout(&self) -> Result<(), ClientError> {
-        self.perform_get_request("/v1/logout").await?;
-        let mut tguard = self.bearer_token.write().await;
-        *tguard = None;
-        Ok(())
+        match self.perform_get_request("/v1/logout").await {
+            Err(ClientError::Unauthorized)
+            | Err(ClientError::Http(reqwest::StatusCode::UNAUTHORIZED, _, _))
+            | Ok(()) => {
+                let mut tguard = self.bearer_token.write().await;
+                *tguard = None;
+                Ok(())
+            }
+            e => e,
+        }
     }
 
     pub fn get_token_cache_path(&self) -> String {
diff --git a/server/testkit/tests/proto_v1_test.rs b/server/testkit/tests/proto_v1_test.rs
index 5a5019e5d..7cbfd5069 100644
--- a/server/testkit/tests/proto_v1_test.rs
+++ b/server/testkit/tests/proto_v1_test.rs
@@ -1662,6 +1662,13 @@ async fn test_server_user_auth_token_lifecycle(rsclient: KanidmClient) {
         .await
         .expect("Failed to destroy user auth token");
 
+    // The session is revoked server side, but we can still call logout locally
+    // and on the 401 it will just clear the token.
+    rsclient
+        .logout()
+        .await
+        .expect("Failed to remove local token");
+
     // Since the session is revoked, check with the admin.
     let res = rsclient
         .auth_simple_password(ADMIN_TEST_USER, ADMIN_TEST_PASSWORD)