Fix expire token shenanigans

- Add session and cookie cleanup on logout
2025-02-09 13:47:09 +02:00 · 2015-03-02 22:09:32 -08:00 · 2015-03-02 22:09:32 -08:00 · 045b9331c7
commit 045b9331c7
parent 8901ad4ed7
7 changed files with 36 additions and 16 deletions
--- a/auth/auth.go
+++ b/auth/auth.go
@ -148,6 +148,9 @@ func (a *Auth) logoutHandlerFunc(ctx *authboss.Context, w http.ResponseWriter, r
 	switch r.Method {
 	case methodGET:
 		ctx.SessionStorer.Del(authboss.SessionKey)
+		ctx.CookieStorer.Del(authboss.CookieRemember)
+		ctx.SessionStorer.Del(authboss.SessionLastAction)
+
 		http.Redirect(w, r, authboss.Cfg.AuthLogoutOKPath, http.StatusFound)
 	default:
 		w.WriteHeader(http.StatusMethodNotAllowed)
--- a/auth/auth_test.go
+++ b/auth/auth_test.go
@ -306,15 +306,26 @@ func TestAuth_logoutHandlerFunc_GET(t *testing.T) {
 	authboss.Cfg.AuthLogoutOKPath = "/dashboard"

 	ctx, w, r, sessionStorer := testRequest("GET")
-
 	sessionStorer.Put(authboss.SessionKey, "asdf")
+	sessionStorer.Put(authboss.SessionLastAction, "1234")
+
+	cookieStorer := mocks.NewMockClientStorer(authboss.CookieRemember, "qwert")
+	ctx.CookieStorer = cookieStorer

 	if err := a.logoutHandlerFunc(ctx, w, r); err != nil {
 		t.Error("Unexpected error:", err)
 	}

-	if _, ok := sessionStorer.Get(authboss.SessionKey); ok {
-		t.Errorf("Expected to be logged out")
+	if val, ok := sessionStorer.Get(authboss.SessionKey); ok {
+		t.Errorf("Unexpected session key:", val)
+	}
+
+	if val, ok := sessionStorer.Get(authboss.SessionLastAction); ok {
+		t.Errorf("Unexpected last action:", val)
+	}
+
+	if val, ok := cookieStorer.Get(authboss.CookieRemember); ok {
+		t.Errorf("Unexpected rm cookie:", val)
 	}

 	if http.StatusFound != w.Code {
--- a/client_storer.go
+++ b/client_storer.go
@ -12,6 +12,9 @@ const (
 	// SessionLastAction is the session key to retrieve the last action of a user.
 	SessionLastAction = "last_action"

+	// CookieRemember is used for cookies and form input names.
+	CookieRemember = "rm"
+
 	// FlashSuccessKey is used for storing sucess flash messages on the session
 	FlashSuccessKey = "flash_success"
 	// FlashErrorKey is used for storing sucess flash messages on the session
--- a/expire.go
+++ b/expire.go
@ -56,10 +56,11 @@ func (m expireMiddleware) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	session := Cfg.SessionStoreMaker(w, r)
 	if _, ok := session.Get(SessionKey); ok {
 		ttl := timeToExpiry(session)
-		if ttl != 0 {
-			refreshExpiry(session)
-		} else {
+		if ttl == 0 {
 			session.Del(SessionKey)
+			session.Del(SessionLastAction)
+		} else {
+			refreshExpiry(session)
 		}
 	}

--- a/expire_test.go
+++ b/expire_test.go
@ -36,6 +36,10 @@ func TestDudeIsExpired(t *testing.T) {
 	if key, ok := session.Get(SessionKey); ok {
 		t.Error("Unexpcted session key:", key)
 	}
+
+	if key, ok := session.Get(SessionLastAction); ok {
+		t.Error("Unexpcted last action key:", key)
+	}
 }

 func TestDudeIsNotExpired(t *testing.T) {
--- a/remember/remember.go
+++ b/remember/remember.go
@ -15,9 +15,7 @@ import (
 )

 const (
-	// RememberKey is used for cookies and form input names.
-	RememberKey = "rm"
-	nRandBytes  = 32
+	nRandBytes = 32
 )

 var (
@ -71,7 +69,7 @@ func (r *Remember) Storage() authboss.StorageOptions {

 // afterAuth is called after authentication is successful.
 func (r *Remember) afterAuth(ctx *authboss.Context) error {
-	if val, ok := ctx.FirstPostFormValue(RememberKey); !ok || val != "true" {
+	if val, ok := ctx.FirstPostFormValue(authboss.CookieRemember); !ok || val != "true" {
 		return nil
 	}

@ -113,7 +111,7 @@ func (r *Remember) new(cstorer authboss.ClientStorer, storageKey string) (string
 	}

 	// Write the finalToken to the cookie
-	cstorer.Put(RememberKey, finalToken)
+	cstorer.Put(authboss.CookieRemember, finalToken)

 	return finalToken, nil
 }
@ -126,7 +124,7 @@ func (r *Remember) auth(ctx *authboss.Context) (authboss.Interrupt, error) {
 		return authboss.InterruptNone, nil
 	}

-	finalToken, ok := ctx.CookieStorer.Get(RememberKey)
+	finalToken, ok := ctx.CookieStorer.Get(authboss.CookieRemember)
 	if !ok {
 		return authboss.InterruptNone, nil
 	}
--- a/remember/remember_test.go
+++ b/remember/remember_test.go
@ -59,7 +59,7 @@ func TestAfterAuth(t *testing.T) {
 		t.Error(err)
 	}

-	if _, ok := cookies.Values[RememberKey]; !ok {
+	if _, ok := cookies.Values[authboss.CookieRemember]; !ok {
 		t.Error("Expected a cookie to have been set.")
 	}
 }
@ -88,7 +88,7 @@ func TestNew(t *testing.T) {
 		t.Error("Expected a token to be saved.")
 	}

-	if token != cookies.Values[RememberKey] {
+	if token != cookies.Values[authboss.CookieRemember] {
 		t.Error("Expected a cookie set with the token.")
 	}
 }
@ -111,7 +111,7 @@ func TestAuth(t *testing.T) {
 		t.Error("Unexpected error:", err)
 	}

-	cookie, _ := cookies.Get(RememberKey)
+	cookie, _ := cookies.Get(authboss.CookieRemember)

 	interrupt, err := r.auth(ctx)
 	if err != nil {
@ -126,7 +126,7 @@ func TestAuth(t *testing.T) {
 		t.Error("The user should have been logged in.")
 	}

-	if chocolateChip, _ := cookies.Get(RememberKey); chocolateChip == cookie {
+	if chocolateChip, _ := cookies.Get(authboss.CookieRemember); chocolateChip == cookie {
 		t.Error("Expected cookie to be different")
 	}