Commit a756b78a authored by ale's avatar ale

Do not ask user to log in in order to log out

Just serve an error on the logout page if there is no valid session,
instead of redirecting to the login workflow.
parent 2f921a80
Pipeline #2191 passed with stages
in 1 minute and 55 seconds
......@@ -206,7 +206,11 @@ func (h *Server) loginCallback(w http.ResponseWriter, req *http.Request, usernam
return httpSession.Save(req, w)
}
func (h *Server) withAuth(f func(http.ResponseWriter, *http.Request, *authSession)) http.Handler {
func (h *Server) redirectToLogin(w http.ResponseWriter, req *http.Request) {
http.Redirect(w, req, h.loginHandler.makeLoginURL(req), http.StatusFound)
}
func (h *Server) withAuth(f func(http.ResponseWriter, *http.Request, *authSession), authFail func(http.ResponseWriter, *http.Request)) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
httpSession, err := h.authSessionStore.Get(req, authSessionKey)
if err != nil {
......@@ -223,7 +227,7 @@ func (h *Server) withAuth(f func(http.ResponseWriter, *http.Request, *authSessio
if err := httpSession.Save(req, w); err != nil {
log.Printf("error saving session: %v", err)
}
http.Redirect(w, req, h.loginHandler.makeLoginURL(req), http.StatusFound)
authFail(w, req)
})
}
......@@ -285,6 +289,10 @@ func (h *Server) handleHomepage(w http.ResponseWriter, req *http.Request, sessio
http.Redirect(w, req, callbackURL, http.StatusFound)
}
func (h *Server) alreadyLoggedOut(w http.ResponseWriter, req *http.Request) {
http.Error(w, "You do not seem to be logged in", http.StatusBadRequest)
}
type logoutServiceInfo struct {
URL string `json:"url"`
Name string `json:"name"`
......@@ -381,7 +389,7 @@ func (h *Server) Handler() http.Handler {
// protection.
m := http.NewServeMux()
m.Handle(h.urlFor("/login"), h.loginHandler)
m.Handle(h.urlFor("/logout"), h.withAuth(h.handleLogout))
m.Handle(h.urlFor("/logout"), h.withAuth(h.handleLogout, h.alreadyLoggedOut))
idph := http.Handler(m)
if h.csrfSecret != nil {
idph = csrf.Protect(h.csrfSecret)(idph)
......@@ -390,7 +398,7 @@ func (h *Server) Handler() http.Handler {
// Add the SSO provider endpoints (root path and /exchange),
// which do not need CSRF. We use a HandlerFunc to bypass the
// '/' dispatch semantics of the standard http.ServeMux.
ssoh := h.withAuth(h.handleHomepage)
ssoh := h.withAuth(h.handleHomepage, h.redirectToLogin)
userh := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
switch {
case r.Method == "GET" && r.URL.Path == h.urlFor("/"):
......
......@@ -249,7 +249,6 @@ func TestHTTP_LoginAndLogout(t *testing.T) {
// Make a logout request.
doGet(t, httpSrv, c, "/logout", checkStatusOk)
doPostForm(t, httpSrv, c, "/logout", nil, checkStatusOk)
// This new authorization request should send us to the login page.
v = make(url.Values)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment