github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-02-16 23:12:45 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

FIX: Logout could fail due to cached user (#17325)

Browse Source 
Logging out failed when the current user was cached by an instance of `Auth::DefaultCurrentUserProvider` and `#log_off_user` was called on a different instance of that class.

Co-authored-by: Sam <sam.saffron@gmail.com>
This commit is contained in:
Gerhard Schlager 2022-07-04 17:01:19 +02:00 committed by GitHub
parent a0a7b3f9c4
commit 8bdbefe0e0
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 21 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
lib/auth/default_current_user_provider.rb
View File

@ -25,6 +25,7 @@ require_relative '../route_matcher'
class Auth::DefaultCurrentUserProvider
CURRENT_USER_KEY ||= "_DISCOURSE_CURRENT_USER"
USER_TOKEN_KEY ||= "_DISCOURSE_USER_TOKEN"
API_KEY ||= "api_key"
API_USERNAME ||= "api_username"
HEADER_API_KEY ||= "HTTP_API_KEY"
@ -102,6 +103,7 @@ class Auth::DefaultCurrentUserProvider
def initialize(env)
@env = env
@request = Rack::Request.new(env)
@user_token = env[USER_TOKEN_KEY]
end
# our current user, return nil if none is found
@ -139,7 +141,7 @@ class Auth::DefaultCurrentUserProvider
limiter = RateLimiter.new(nil, "cookie_auth_#{request.ip}", COOKIE_ATTEMPTS_PER_MIN , 60)
if limiter.can_perform?
@user_token = begin
@env[USER_TOKEN_KEY] = @user_token = begin
UserAuthToken.lookup(
auth_token,
seen: true,
@ -263,7 +265,7 @@ class Auth::DefaultCurrentUserProvider
end
def log_on_user(user, session, cookie_jar, opts = {})
@user_token = UserAuthToken.generate!(
@env[USER_TOKEN_KEY] = @user_token = UserAuthToken.generate!(
user_id: user.id,
user_agent: @env['HTTP_USER_AGENT'],
path: @env['REQUEST_PATH'],

17
spec/lib/auth/default_current_user_provider_spec.rb
View File

@ -779,4 +779,21 @@ describe Auth::DefaultCurrentUserProvider do
expect(provider2.current_user).to eq(user)
expect(provider2.cookie_jar.encrypted["_t"].keys).to include("user_id", "token") # (strings)
end
describe "#log_off_user" do
it "should work when the current user was cached by a different provider instance" do
user_provider = provider('/')
user_provider.log_on_user(user, {}, user_provider.cookie_jar)
cookie = CGI.escape(user_provider.cookie_jar["_t"])
env = create_request_env(path: "/").merge({ method: "GET", "HTTP_COOKIE" => "_t=#{cookie}" })
user_provider = TestProvider.new(env)
expect(user_provider.current_user).to eq(user)
expect(UserAuthToken.find_by(user_id: user.id)).to be_present
user_provider = TestProvider.new(env)
user_provider.log_off_user({}, user_provider.cookie_jar)
expect(UserAuthToken.find_by(user_id: user.id)).to be_nil
end
end
end