Forcibly destroy existing session on logout.

To comply with security guidelines, we need to destroy the session when a user logs out. This means that the session's key in the Redis cache needs to be deleted. Flask expects to _always_ have a session object. If the current session object does not exist in the Redis cache, Flask will reserialize and store it at the end of the request. In order for session deletion to work, we need to delete the key for the existing session and then replace the session object with a new, empty one. This also updates the SessionLimiter class so that the session prefix is configurable.
2020-01-19 16:05:54 -05:00
parent 0fa4fd2304
commit 944c5d3c9f
6 changed files with 63 additions and 15 deletions
--- a/tests/domain/test_auth.py
+++ b/tests/domain/test_auth.py
@@ -0,0 +1,29 @@
+from flask import make_response, session
+
+from atst.domain.auth import logout
+
+
+def _write_session(app):
+    response = make_response("")
+    app.session_interface.save_session(app, session, response)
+    return session
+
+
+def test_logout_destroys_session(app):
+    session = _write_session(app)
+    key = app.config.get("SESSION_KEY_PREFIX") + session.sid
+    assert app.redis.get(key)
+    logout()
+    assert app.redis.get(key) is None
+
+
+def test_logout_logs_dod_id_for_current_user(monkeypatch, mock_logger):
+    dod_id = "3434343434"
+    monkeypatch.setattr("atst.domain.auth._current_dod_id", lambda: dod_id)
+    logout()
+    assert dod_id in mock_logger.messages[-1]
+
+
+def test_logout_logs_message_for_unathenticated_user(mock_logger):
+    logout()
+    assert "unauthenticated" in mock_logger.messages[-1]