raise a distinct LoggedOutError when doing a forced-logged-out

refs CNVS-14595 instead of waiting for an InvalidAuthenticityToken to catch it test plan: * log in to one browser, and go to an assignment page * in another browser (or incognito) log in and log out as the same user * in browser 1, refresh. you should have to login again * watch your requests - pings should be happen periodically, and succeeding * log in/out in browser 2 * back in browser 1, a ping should fail. check your logs or errorreports - it should be a LoggedOutError, and InvalidAccessToken * refresh and log back in * log in/out in browser 2 * try to edit a rubric (or another AJAX request that's not API) - it should fail, again *not* with InvalidAccessToken Change-Id: I04c72e12fbcee7dd0aa4ce7dafcb698167a82015 Reviewed-on: https://gerrit.instructure.com/38755 Tested-by: Jenkins <jenkins@instructure.com> Reviewed-by: Jacob Fugal <jacob@instructure.com> QA-Review: August Thornton <august@instructure.com> Product-Review: Cody Cutrer <cody@instructure.com>
2014-08-05 11:23:33 -06:00 · 2014-08-05 11:23:33 -06:00 · 55bc442f31
parent 4b9d76bb92
commit 55bc442f31
4 changed files with 10 additions and 1 deletions
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@ -977,6 +977,7 @@ class ApplicationController < ActionController::Base

  if CANVAS_RAILS2
    rescue_responses['AuthenticationMethods::AccessTokenError'] = 401
+    rescue_responses['AuthenticationMethods::LoggedOutError'] = 401
  end

  def rescue_action_in_api(exception, error_report, response_code)
--- a/config/application.rb
+++ b/config/application.rb
@ -16,6 +16,7 @@ module CanvasRails
    require_dependency 'logging_filter'
    config.filter_parameters.concat LoggingFilter.filtered_parameters
    config.action_dispatch.rescue_responses['AuthenticationMethods::AccessTokenError'] = 401
+    config.action_dispatch.rescue_responses['AuthenticationMethods::LoggedOutError'] = 401

    config.app_generators do |c|
      c.test_framework :rspec
--- a/lib/authentication_methods.rb
+++ b/lib/authentication_methods.rb
@ -48,6 +48,9 @@ module AuthenticationMethods
  class AccessTokenError < Exception
  end

+  class LoggedOutError < Exception
+  end
+
  def self.access_token(request, params_method = :params)
    auth_header = CANVAS_RAILS2 ? ActionController::HttpAuthentication::Basic.authorization(request) : request.authorization
    if auth_header.present? && (header_parts = auth_header.split(' ', 2)) && header_parts[0] == 'Bearer'
@ -104,6 +107,9 @@ module AuthenticationMethods

          destroy_session
          @current_pseudonym = nil
+          if api_request? || request.format.json?
+            raise LoggedOutError
+          end
        end
      end
      if params[:login_success] == '1' && !@current_pseudonym
--- a/spec/lib/authentication_methods_spec.rb
+++ b/spec/lib/authentication_methods_spec.rb
@ -114,7 +114,8 @@ describe AuthenticationMethods do

  describe "#load_user" do
    before do
-      @request = stub(:env => {'encrypted_cookie_store.session_refreshed_at' => 5.minutes.ago})
+      @request = stub(:env => {'encrypted_cookie_store.session_refreshed_at' => 5.minutes.ago},
+                      :format => stub(:json? => false))
      @controller = RSpec::MockController.new(nil, @request)
      @controller.stubs(:load_pseudonym_from_access_token)
      @controller.stubs(:api_request?).returns(false)