FIX: Logout could fail due to cached user

Logging out failed when the current user was cached by an instance of `Auth::DefaultCurrentUserProvider` and `#log_off_user` was called on a different instance of that class. Co-authored-by: Sam <sam.saffron@gmail.com>
2025-03-03 22:04:45 +08:00 · 2022-07-04 16:33:59 +02:00 · 2022-07-04 16:33:59 +02:00 · 3d1bbf7446
commit 3d1bbf7446
parent 61ed83ecfc
2 changed files with 21 additions and 2 deletions
--- a/lib/auth/default_current_user_provider.rb
+++ b/lib/auth/default_current_user_provider.rb
@ -25,6 +25,7 @@ require_relative '../route_matcher'
 class Auth::DefaultCurrentUserProvider

  CURRENT_USER_KEY ||= "_DISCOURSE_CURRENT_USER"
+  USER_TOKEN_KEY ||= "_DISCOURSE_USER_TOKEN"
  API_KEY ||= "api_key"
  API_USERNAME ||= "api_username"
  HEADER_API_KEY ||= "HTTP_API_KEY"
@ -99,6 +100,7 @@ class Auth::DefaultCurrentUserProvider
  def initialize(env)
    @env = env
    @request = Rack::Request.new(env)
+    @user_token = env[USER_TOKEN_KEY]
  end

  # our current user, return nil if none is found
@ -136,7 +138,7 @@ class Auth::DefaultCurrentUserProvider
      limiter = RateLimiter.new(nil, "cookie_auth_#{request.ip}", COOKIE_ATTEMPTS_PER_MIN , 60)

      if limiter.can_perform?
-        @user_token = begin
+        @env[USER_TOKEN_KEY] = @user_token = begin
          UserAuthToken.lookup(
            auth_token,
            seen: true,
@ -255,7 +257,7 @@ class Auth::DefaultCurrentUserProvider
  end

  def log_on_user(user, session, cookie_jar, opts = {})
-    @user_token = UserAuthToken.generate!(
+    @env[USER_TOKEN_KEY] = @user_token = UserAuthToken.generate!(
      user_id: user.id,
      user_agent: @env['HTTP_USER_AGENT'],
      path: @env['REQUEST_PATH'],
--- a/spec/components/auth/default_current_user_provider_spec.rb
+++ b/spec/components/auth/default_current_user_provider_spec.rb
@ -760,4 +760,21 @@ describe Auth::DefaultCurrentUserProvider do
    env = { "HTTP_COOKIE" => "_t=#{cookie}", "REMOTE_ADDR" => ip }
    expect(provider('/', env).current_user).to eq(nil)
  end
+
+  describe "#log_off_user" do
+    it "should work when the current user was cached by a different provider instance" do
+      user_provider = provider('/')
+      user_provider.log_on_user(user, {}, user_provider.cookie_jar)
+      cookie = user_provider.cookie_jar["_t"]
+      env = create_request_env(path: "/").merge({ method: "GET", "HTTP_COOKIE" => "_t=#{cookie}" })
+
+      user_provider = TestProvider.new(env)
+      expect(user_provider.current_user).to eq(user)
+      expect(UserAuthToken.find_by(user_id: user.id)).to be_present
+
+      user_provider = TestProvider.new(env)
+      user_provider.log_off_user({}, user_provider.cookie_jar)
+      expect(UserAuthToken.find_by(user_id: user.id)).to be_nil
+    end
+  end
 end