zydronium/manage.get.gov
1
0
Fork 0
mirror of https://github.com/cisagov/manage.get.gov.git synced 2025-05-15 09:07:02 +02:00
Code Issues Projects Releases Packages Wiki Activity

handle logout when no session is present

Browse source
This commit is contained in:
David Kennedy 2024-02-14 12:09:27 -05:00
parent 7ec4b32f88
commit 3387ec032b
No known key found for this signature in database
GPG key ID: 6528A5386E66B96B
2 changed files with 25 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

20
src/djangooidc/tests/test_views.py
View file

@ -327,6 +327,26 @@ class ViewsTest(TestCase):
self.assertEqual(response.status_code, 302) self.assertEqual(response.status_code, 302)
self.assertEqual(actual, expected) self.assertEqual(actual, expected)
def test_logout_redirect_url_with_no_session_state(self, mock_client):
"""Test that logout redirects to the configured post_logout_redirect_uris."""
with less_console_noise():
# MOCK
mock_client.callback.side_effect = self.user_info
mock_client.registration_response = {"post_logout_redirect_uris": ["http://example.com/back"]}
mock_client.provider_info = {"end_session_endpoint": "http://example.com/log_me_out"}
mock_client.client_id = "TEST"
# TEST
with less_console_noise():
response = self.client.get(reverse("logout"))
# ASSERTIONS
expected = (
"http://example.com/log_me_out?client_id=TEST"
"&post_logout_redirect_uri=http%3A%2F%2Fexample.com%2Fback"
)
actual = response.url
self.assertEqual(response.status_code, 302)
self.assertEqual(actual, expected)
@patch("djangooidc.views.auth_logout") @patch("djangooidc.views.auth_logout")
def test_logout_always_logs_out(self, mock_logout, _): def test_logout_always_logs_out(self, mock_logout, _):
"""Without additional mocking, logout will always fail. """Without additional mocking, logout will always fail.

6
src/djangooidc/views.py
View file

@ -145,8 +145,12 @@ def logout(request, next_page=None):
user = request.user user = request.user
request_args = { request_args = {
"client_id": CLIENT.client_id, "client_id": CLIENT.client_id,
"state": request.session["state"],
} }
# if state is not in request session, still redirect to the identity
# provider's logout url, but don't include the state in the url; this
# will successfully log out of the identity provider
if "state" in request.session:
request_args["state"] = request.session["state"]
if ( if (
"post_logout_redirect_uris" in CLIENT.registration_response.keys() "post_logout_redirect_uris" in CLIENT.registration_response.keys()
and len(CLIENT.registration_response["post_logout_redirect_uris"]) > 0 and len(CLIENT.registration_response["post_logout_redirect_uris"]) > 0