feat(auth): enhance logout process to support RP-Initiated Logout for OIDC users

server/routes/auth.js

@@ -11,6 +11,7 @@ import { getDb } from '../config/database.js';
 import redis from '../config/redis.js';
 import { authenticateToken, generateToken, getBaseUrl } from '../middleware/auth.js';
 import { isMailerConfigured, sendVerificationEmail } from '../config/mailer.js';
+import { getOAuthConfig, discoverOIDC } from '../config/oauth.js';
 import { log } from '../config/logger.js';
 
 if (!process.env.JWT_SECRET) {
@@ -379,7 +380,31 @@ router.post('/logout', authenticateToken, async (req, res) => {
       }
     }
 
-    res.json({ message: 'Logged out successfully' });
+    // ── RP-Initiated Logout for OIDC/Keycloak users ──────────────────────
+    let keycloakLogoutUrl = null;
+    if (req.user.oauth_provider === 'oidc') {
+      try {
+        const config = await getOAuthConfig();
+        if (config) {
+          const oidc = await discoverOIDC(config.issuer);
+          if (oidc.end_session_endpoint) {
+            const idToken = await redis.get(`oidc:id_token:${req.user.id}`);
+            await redis.del(`oidc:id_token:${req.user.id}`);
+            const baseUrl = getBaseUrl(req);
+            const params = new URLSearchParams({
+              post_logout_redirect_uri: `${baseUrl}/`,
+              client_id: config.clientId,
+            });
+            if (idToken) params.set('id_token_hint', idToken);
+            keycloakLogoutUrl = `${oidc.end_session_endpoint}?${params.toString()}`;
+          }
+        }
+      } catch (oidcErr) {
+        log.auth.warn(`Could not build Keycloak logout URL: ${oidcErr.message}`);
+      }
+    }
+
+    res.json({ message: 'Logged out successfully', keycloakLogoutUrl });
   } catch (err) {
     log.auth.error(`Logout error: ${err.message}`);
     res.status(500).json({ error: 'Logout failed' });