Project

General

Profile

0002-auth_fc-close-FranceConnect-session-when-linking-fai.patch

Benjamin Dauvergne, 23 November 2022 01:20 PM

Download (4.38 KB)

View differences:

Subject: [PATCH 2/2] auth_fc: close FranceConnect session when linking fails
 (#71607)

 src/authentic2_auth_fc/views.py | 25 +++++++++++++++----------
 tests/auth_fc/test_auth_fc.py   |  6 ++++++
 2 files changed, 21 insertions(+), 10 deletions(-)
src/authentic2_auth_fc/views.py
124 124
    def redirect(self):
125 125
        return utils_misc.redirect(self.request, self.next_url)
126 126

  
127
    def logout_and_redirect(self):
128
        url = utils.build_logout_url(self.request, self.authenticator.logout_url, next_url=self.next_url)
129
        if url:
130
            clean_fc_session(self.request.session)
131
            response = utils_misc.redirect(self.request, url, resolve=False)
132
            response.display_message = False
133
            return response
134
        return self.redirect()
135

  
127 136
    @property
128 137
    def fc_display_name(self):
129 138
        '''Human representation of the current FC account'''
......
228 237
        # clear FranceConnect down status
229 238
        cache.delete('fc_is_down')
230 239

  
240
        # keep id_token around for logout
241
        request.session['fc_id_token'] = self.id_token
242
        request.session['fc_id_token_raw'] = self.token['id_token']
243

  
231 244
        if request.user.is_authenticated:
232 245
            return self.link(request)
233 246
        else:
......
334 347

  
335 348
    def link(self, request):
336 349
        '''Request an access grant code and associate it to the current user'''
337
        # keep id_token around for logout
338
        request.session['fc_id_token'] = self.id_token
339
        request.session['fc_id_token_raw'] = self.token['id_token']
340

  
341 350
        try:
342 351
            self.fc_account, created = models.FcAccount.objects.get_or_create(
343 352
                sub=self.sub,
......
377 386
            created = False
378 387

  
379 388
        if not user:
380
            return self.redirect()
389
            return self.logout_and_redirect()
381 390

  
382 391
        return self.finish_login(request, user, self.user_info, created)
383 392

  
......
386 395
        utils_views.check_cookie_works(request)
387 396
        utils_misc.login(request, user, 'france-connect')
388 397

  
389
        # keep id_token around for logout
390
        request.session['fc_id_token'] = self.id_token
391
        request.session['fc_id_token_raw'] = self.token['id_token']
392

  
393 398
        # set session expiration policy to EXPIRE_AT_BROWSER_CLOSE
394 399
        request.session.set_expiry(0)
395 400

  
......
517 522
                    self.fc_display_name
518 523
                ),
519 524
            )
520
        return self.redirect()
525
        return self.logout_and_redirect()
521 526

  
522 527
    def update_user_info(self, user, user_info):
523 528
        # always handle given_name and family_name
tests/auth_fc/test_auth_fc.py
262 262
        cookie = cookie[0].message
263 263
    assert 'is already used' in cookie
264 264
    assert '_auth_user_id' not in app.session
265
    response = franceconnect.handle_logout(app, response.location)
266
    assert response.location == '/idp/'
265 267

  
266 268

  
267 269
def test_requests_proxies_support(settings, app, monkeypatch):
......
466 468
    User.objects.create(email=franceconnect.user_info['email'], ou=ou)
467 469

  
468 470
    response = franceconnect.login_with_fc(app, path='/accounts/')
471
    response = franceconnect.handle_logout(app, response.location)
472
    assert response.location == '/accounts/'
469 473

  
470 474
    response = response.maybe_follow()
471 475
    assert 'is already used by another' in response
......
657 661

  
658 662
    resp = franceconnect.login_with_fc_fixed_params(app)
659 663

  
664
    resp = franceconnect.handle_logout(app, resp.location)
665

  
660 666
    resp = resp.maybe_follow()
661 667
    # email collision, sub is different, no new user created
662 668
    assert User.objects.count() == 1
663
-