Skip to content

Commit 55bc442

Browse files
committed
raise a distinct LoggedOutError when doing a forced-logged-out
refs CNVS-14595 instead of waiting for an InvalidAuthenticityToken to catch it test plan: * log in to one browser, and go to an assignment page * in another browser (or incognito) log in and log out as the same user * in browser 1, refresh. you should have to login again * watch your requests - pings should be happen periodically, and succeeding * log in/out in browser 2 * back in browser 1, a ping should fail. check your logs or errorreports - it should be a LoggedOutError, and InvalidAccessToken * refresh and log back in * log in/out in browser 2 * try to edit a rubric (or another AJAX request that's not API) - it should fail, again *not* with InvalidAccessToken Change-Id: I04c72e12fbcee7dd0aa4ce7dafcb698167a82015 Reviewed-on: https://gerrit.instructure.com/38755 Tested-by: Jenkins <jenkins@instructure.com> Reviewed-by: Jacob Fugal <jacob@instructure.com> QA-Review: August Thornton <august@instructure.com> Product-Review: Cody Cutrer <cody@instructure.com>
1 parent 4b9d76b commit 55bc442

4 files changed

Lines changed: 10 additions & 1 deletion

File tree

app/controllers/application_controller.rb

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -977,6 +977,7 @@ def render_rescue_action(exception, error, status, status_code)
977977

978978
if CANVAS_RAILS2
979979
rescue_responses['AuthenticationMethods::AccessTokenError'] = 401
980+
rescue_responses['AuthenticationMethods::LoggedOutError'] = 401
980981
end
981982

982983
def rescue_action_in_api(exception, error_report, response_code)

config/application.rb

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -16,6 +16,7 @@ class Application < Rails::Application
1616
require_dependency 'logging_filter'
1717
config.filter_parameters.concat LoggingFilter.filtered_parameters
1818
config.action_dispatch.rescue_responses['AuthenticationMethods::AccessTokenError'] = 401
19+
config.action_dispatch.rescue_responses['AuthenticationMethods::LoggedOutError'] = 401
1920

2021
config.app_generators do |c|
2122
c.test_framework :rspec

lib/authentication_methods.rb

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -48,6 +48,9 @@ def load_pseudonym_from_policy
4848
class AccessTokenError < Exception
4949
end
5050

51+
class LoggedOutError < Exception
52+
end
53+
5154
def self.access_token(request, params_method = :params)
5255
auth_header = CANVAS_RAILS2 ? ActionController::HttpAuthentication::Basic.authorization(request) : request.authorization
5356
if auth_header.present? && (header_parts = auth_header.split(' ', 2)) && header_parts[0] == 'Bearer'
@@ -104,6 +107,9 @@ def load_user
104107

105108
destroy_session
106109
@current_pseudonym = nil
110+
if api_request? || request.format.json?
111+
raise LoggedOutError
112+
end
107113
end
108114
end
109115
if params[:login_success] == '1' && !@current_pseudonym

spec/lib/authentication_methods_spec.rb

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -114,7 +114,8 @@
114114

115115
describe "#load_user" do
116116
before do
117-
@request = stub(:env => {'encrypted_cookie_store.session_refreshed_at' => 5.minutes.ago})
117+
@request = stub(:env => {'encrypted_cookie_store.session_refreshed_at' => 5.minutes.ago},
118+
:format => stub(:json? => false))
118119
@controller = RSpec::MockController.new(nil, @request)
119120
@controller.stubs(:load_pseudonym_from_access_token)
120121
@controller.stubs(:api_request?).returns(false)

0 commit comments

Comments
 (0)