From ec43586ef48a3cbae37e1affb3026296af3e5c24 Mon Sep 17 00:00:00 2001
From: Artur Beljajev <artur.beljajev@internet.ee>
Date: Wed, 14 Feb 2018 01:17:51 +0200
Subject: [PATCH] Require authentication on EPP logout

#700
---
 app/controllers/epp/sessions_controller.rb  |  9 +++++
 app/controllers/epp_controller.rb           | 10 +++++
 test/integration/epp/session/logout_test.rb | 42 ++++++++++++---------
 3 files changed, 44 insertions(+), 17 deletions(-)

diff --git a/app/controllers/epp/sessions_controller.rb b/app/controllers/epp/sessions_controller.rb
index e4efc581d..69e549d21 100644
--- a/app/controllers/epp/sessions_controller.rb
+++ b/app/controllers/epp/sessions_controller.rb
@@ -124,6 +124,15 @@ class Epp::SessionsController < EppController
   end
 
   def logout
+    unless signed_in?
+      epp_errors << {
+        code: 2201,
+        msg: 'Authorization error'
+      }
+      handle_errors
+      return
+    end
+
     @api_user = current_user # cache current_user for logging
     epp_session.destroy
     response.headers['X-EPP-Returncode'] = '1500'
diff --git a/app/controllers/epp_controller.rb b/app/controllers/epp_controller.rb
index 07d3286d0..1bd587c23 100644
--- a/app/controllers/epp_controller.rb
+++ b/app/controllers/epp_controller.rb
@@ -397,4 +397,14 @@ class EppController < ApplicationController
     name = self.class.to_s.sub("Epp::","").sub("Controller","").underscore.singularize
     instance_variable_get("@#{name}")
   end
+
+  private
+
+  def signed_in?
+    epp_session
+  end
+
+  def epp_session_id
+    cookies[:session]
+  end
 end
diff --git a/test/integration/epp/session/logout_test.rb b/test/integration/epp/session/logout_test.rb
index 7237d4073..75b26f2f3 100644
--- a/test/integration/epp/session/logout_test.rb
+++ b/test/integration/epp/session/logout_test.rb
@@ -1,8 +1,31 @@
 require 'test_helper'
 
 class EppLogoutTest < ActionDispatch::IntegrationTest
-  def setup
-    @request_xml = <<-XML
+  def test_success_response
+    post '/epp/session/logout', { frame: request_xml }, { 'HTTP_COOKIE' => 'session=api_bestnames' }
+    assert Nokogiri::XML(response.body).at_css('result[code="1500"]')
+    assert_equal 1, Nokogiri::XML(response.body).css('result').size
+  end
+
+  def test_ends_current_session
+    post '/epp/session/logout', { frame: request_xml }, { 'HTTP_COOKIE' => 'session=api_bestnames' }
+    assert_nil EppSession.find_by(session_id: 'api_bestnames')
+  end
+
+  def test_keeps_other_sessions_intact
+    post '/epp/session/logout', { frame: request_xml }, { 'HTTP_COOKIE' => 'session=api_bestnames' }
+    assert EppSession.find_by(session_id: 'api_goodnames')
+  end
+
+  def test_anonymous_user
+    post '/epp/session/logout', { frame: request_xml }, { 'HTTP_COOKIE' => 'session=non-existent' }
+    assert Nokogiri::XML(response.body).at_css('result[code="2201"]')
+  end
+
+  private
+
+  def request_xml
+    <<-XML
       <?xml version="1.0" encoding="UTF-8" standalone="no"?>
       <epp xmlns="https://epp.tld.ee/schema/epp-ee-1.0.xsd">
         <command>
@@ -10,20 +33,5 @@ class EppLogoutTest < ActionDispatch::IntegrationTest
         </command>
       </epp>
     XML
-
-    post '/epp/session/logout', { frame: @request_xml }, { 'HTTP_COOKIE' => 'session=api_bestnames' }
-  end
-
-  def test_success_response
-    assert Nokogiri::XML(response.body).at_css('result[code="1500"]')
-    assert_equal 1, Nokogiri::XML(response.body).css('result').size
-  end
-
-  def test_ends_current_session
-    assert_nil EppSession.find_by(session_id: 'api_bestnames')
-  end
-
-  def test_keeps_other_sessions_intact
-    assert EppSession.find_by(session_id: 'api_goodnames')
   end
 end