From a756b78a7c4fdd277801b171b4164dd24e9ffef2 Mon Sep 17 00:00:00 2001
From: ale <ale@incal.net>
Date: Tue, 5 Feb 2019 08:16:09 +0000
Subject: [PATCH] Do not ask user to log in in order to log out

Just serve an error on the logout page if there is no valid session,
instead of redirecting to the login workflow.
---
 server/http.go      | 16 ++++++++++++----
 server/http_test.go |  1 -
 2 files changed, 12 insertions(+), 5 deletions(-)

diff --git a/server/http.go b/server/http.go
index 7248f03..12ecae6 100644
--- a/server/http.go
+++ b/server/http.go
@@ -206,7 +206,11 @@ func (h *Server) loginCallback(w http.ResponseWriter, req *http.Request, usernam
 	return httpSession.Save(req, w)
 }
 
-func (h *Server) withAuth(f func(http.ResponseWriter, *http.Request, *authSession)) http.Handler {
+func (h *Server) redirectToLogin(w http.ResponseWriter, req *http.Request) {
+	http.Redirect(w, req, h.loginHandler.makeLoginURL(req), http.StatusFound)
+}
+
+func (h *Server) withAuth(f func(http.ResponseWriter, *http.Request, *authSession), authFail func(http.ResponseWriter, *http.Request)) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
 		httpSession, err := h.authSessionStore.Get(req, authSessionKey)
 		if err != nil {
@@ -223,7 +227,7 @@ func (h *Server) withAuth(f func(http.ResponseWriter, *http.Request, *authSessio
 		if err := httpSession.Save(req, w); err != nil {
 			log.Printf("error saving session: %v", err)
 		}
-		http.Redirect(w, req, h.loginHandler.makeLoginURL(req), http.StatusFound)
+		authFail(w, req)
 	})
 }
 
@@ -285,6 +289,10 @@ func (h *Server) handleHomepage(w http.ResponseWriter, req *http.Request, sessio
 	http.Redirect(w, req, callbackURL, http.StatusFound)
 }
 
+func (h *Server) alreadyLoggedOut(w http.ResponseWriter, req *http.Request) {
+	http.Error(w, "You do not seem to be logged in", http.StatusBadRequest)
+}
+
 type logoutServiceInfo struct {
 	URL  string `json:"url"`
 	Name string `json:"name"`
@@ -381,7 +389,7 @@ func (h *Server) Handler() http.Handler {
 	// protection.
 	m := http.NewServeMux()
 	m.Handle(h.urlFor("/login"), h.loginHandler)
-	m.Handle(h.urlFor("/logout"), h.withAuth(h.handleLogout))
+	m.Handle(h.urlFor("/logout"), h.withAuth(h.handleLogout, h.alreadyLoggedOut))
 	idph := http.Handler(m)
 	if h.csrfSecret != nil {
 		idph = csrf.Protect(h.csrfSecret)(idph)
@@ -390,7 +398,7 @@ func (h *Server) Handler() http.Handler {
 	// Add the SSO provider endpoints (root path and /exchange),
 	// which do not need CSRF. We use a HandlerFunc to bypass the
 	// '/' dispatch semantics of the standard http.ServeMux.
-	ssoh := h.withAuth(h.handleHomepage)
+	ssoh := h.withAuth(h.handleHomepage, h.redirectToLogin)
 	userh := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		switch {
 		case r.Method == "GET" && r.URL.Path == h.urlFor("/"):
diff --git a/server/http_test.go b/server/http_test.go
index c3fa9a6..e11560f 100644
--- a/server/http_test.go
+++ b/server/http_test.go
@@ -249,7 +249,6 @@ func TestHTTP_LoginAndLogout(t *testing.T) {
 
 	// Make a logout request.
 	doGet(t, httpSrv, c, "/logout", checkStatusOk)
-	doPostForm(t, httpSrv, c, "/logout", nil, checkStatusOk)
 
 	// This new authorization request should send us to the login page.
 	v = make(url.Values)
-- 
GitLab