Do not ask user to log in in order to log out

Just serve an error on the logout page if there is no valid session, instead of redirecting to the login workflow.

Do not ask user to log in in order to log out
a756b78a · ale · 2f921a80 · a756b78a · a756b78a
Commit a756b78a authored 6 years ago by ale
--- a/server/http.go
+++ b/server/http.go
@@ -206,7 +206,11 @@ func (h *Server) loginCallback(w http.ResponseWriter, req *http.Request, usernam
 	return httpSession.Save(req, w)
 }

-func (h *Server) withAuth(f func(http.ResponseWriter, *http.Request, *authSession)) http.Handler {
+func (h *Server) redirectToLogin(w http.ResponseWriter, req *http.Request) {
+	http.Redirect(w, req, h.loginHandler.makeLoginURL(req), http.StatusFound)
+}
+
+func (h *Server) withAuth(f func(http.ResponseWriter, *http.Request, *authSession), authFail func(http.ResponseWriter, *http.Request)) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
 		httpSession, err := h.authSessionStore.Get(req, authSessionKey)
 		if err != nil {
@@ -223,7 +227,7 @@ func (h *Server) withAuth(f func(http.ResponseWriter, *http.Request, *authSessio
 		if err := httpSession.Save(req, w); err != nil {
 			log.Printf("error saving session: %v", err)
 		}
-		http.Redirect(w, req, h.loginHandler.makeLoginURL(req), http.StatusFound)
+		authFail(w, req)
 	})
 }

@@ -285,6 +289,10 @@ func (h *Server) handleHomepage(w http.ResponseWriter, req *http.Request, sessio
 	http.Redirect(w, req, callbackURL, http.StatusFound)
 }

+func (h *Server) alreadyLoggedOut(w http.ResponseWriter, req *http.Request) {
+	http.Error(w, "You do not seem to be logged in", http.StatusBadRequest)
+}
+
 type logoutServiceInfo struct {
 	URL  string `json:"url"`
 	Name string `json:"name"`
@@ -381,7 +389,7 @@ func (h *Server) Handler() http.Handler {
 	// protection.
 	m := http.NewServeMux()
 	m.Handle(h.urlFor("/login"), h.loginHandler)
-	m.Handle(h.urlFor("/logout"), h.withAuth(h.handleLogout))
+	m.Handle(h.urlFor("/logout"), h.withAuth(h.handleLogout, h.alreadyLoggedOut))
 	idph := http.Handler(m)
 	if h.csrfSecret != nil {
 		idph = csrf.Protect(h.csrfSecret)(idph)
@@ -390,7 +398,7 @@ func (h *Server) Handler() http.Handler {
 	// Add the SSO provider endpoints (root path and /exchange),
 	// which do not need CSRF. We use a HandlerFunc to bypass the
 	// '/' dispatch semantics of the standard http.ServeMux.
-	ssoh := h.withAuth(h.handleHomepage)
+	ssoh := h.withAuth(h.handleHomepage, h.redirectToLogin)
 	userh := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		switch {
 		case r.Method == "GET" && r.URL.Path == h.urlFor("/"):

--- a/server/http_test.go
+++ b/server/http_test.go
@@ -249,7 +249,6 @@ func TestHTTP_LoginAndLogout(t *testing.T) {

 	// Make a logout request.
 	doGet(t, httpSrv, c, "/logout", checkStatusOk)
-	doPostForm(t, httpSrv, c, "/logout", nil, checkStatusOk)

 	// This new authorization request should send us to the login page.
 	v = make(url.Values)