Require authentication on EPP logout

#700
2025-06-08 05:34:46 +02:00 · 2018-02-14 01:17:51 +02:00 · 2018-02-14 01:17:51 +02:00 · ec43586ef4
commit ec43586ef4
parent 2ce4fa9ce0
3 changed files with 44 additions and 17 deletions
--- a/app/controllers/epp/sessions_controller.rb
+++ b/app/controllers/epp/sessions_controller.rb
@ -124,6 +124,15 @@ class Epp::SessionsController < EppController
  end

  def logout
+    unless signed_in?
+      epp_errors << {
+        code: 2201,
+        msg: 'Authorization error'
+      }
+      handle_errors
+      return
+    end
+
    @api_user = current_user # cache current_user for logging
    epp_session.destroy
    response.headers['X-EPP-Returncode'] = '1500'
--- a/app/controllers/epp_controller.rb
+++ b/app/controllers/epp_controller.rb
@ -397,4 +397,14 @@ class EppController < ApplicationController
    name = self.class.to_s.sub("Epp::","").sub("Controller","").underscore.singularize
    instance_variable_get("@#{name}")
  end
+
+  private
+
+  def signed_in?
+    epp_session
+  end
+
+  def epp_session_id
+    cookies[:session]
+  end
 end
--- a/test/integration/epp/session/logout_test.rb
+++ b/test/integration/epp/session/logout_test.rb
@ -1,8 +1,31 @@
 require 'test_helper'

 class EppLogoutTest < ActionDispatch::IntegrationTest
-  def setup
-    @request_xml = <<-XML
+  def test_success_response
+    post '/epp/session/logout', { frame: request_xml }, { 'HTTP_COOKIE' => 'session=api_bestnames' }
+    assert Nokogiri::XML(response.body).at_css('result[code="1500"]')
+    assert_equal 1, Nokogiri::XML(response.body).css('result').size
+  end
+
+  def test_ends_current_session
+    post '/epp/session/logout', { frame: request_xml }, { 'HTTP_COOKIE' => 'session=api_bestnames' }
+    assert_nil EppSession.find_by(session_id: 'api_bestnames')
+  end
+
+  def test_keeps_other_sessions_intact
+    post '/epp/session/logout', { frame: request_xml }, { 'HTTP_COOKIE' => 'session=api_bestnames' }
+    assert EppSession.find_by(session_id: 'api_goodnames')
+  end
+
+  def test_anonymous_user
+    post '/epp/session/logout', { frame: request_xml }, { 'HTTP_COOKIE' => 'session=non-existent' }
+    assert Nokogiri::XML(response.body).at_css('result[code="2201"]')
+  end
+
+  private
+
+  def request_xml
+    <<-XML
      <?xml version="1.0" encoding="UTF-8" standalone="no"?>
      <epp xmlns="https://epp.tld.ee/schema/epp-ee-1.0.xsd">
        <command>
@ -10,20 +33,5 @@ class EppLogoutTest < ActionDispatch::IntegrationTest
        </command>
      </epp>
    XML
-
-    post '/epp/session/logout', { frame: @request_xml }, { 'HTTP_COOKIE' => 'session=api_bestnames' }
-  end
-
-  def test_success_response
-    assert Nokogiri::XML(response.body).at_css('result[code="1500"]')
-    assert_equal 1, Nokogiri::XML(response.body).css('result').size
-  end
-
-  def test_ends_current_session
-    assert_nil EppSession.find_by(session_id: 'api_bestnames')
-  end
-
-  def test_keeps_other_sessions_intact
-    assert EppSession.find_by(session_id: 'api_goodnames')
  end
 end