From c7d5015942e276427f1f2a31a5094ddff8d77fa1 Mon Sep 17 00:00:00 2001
From: Patrick Smith <patrick+dds@promptworks.com>
Date: Tue, 16 Oct 2018 17:23:09 -0400
Subject: [PATCH] Redirect to login page when CSRF error occurs

---
 atst/routes/errors.py       |  8 +++++++-
 templates/login.html        |  6 ++++++
 tests/routes/test_errors.py | 14 ++++++++++++++
 3 files changed, 27 insertions(+), 1 deletion(-)
 create mode 100644 tests/routes/test_errors.py

diff --git a/atst/routes/errors.py b/atst/routes/errors.py
index 53d93e4b..7b6939d9 100644
--- a/atst/routes/errors.py
+++ b/atst/routes/errors.py
@@ -1,4 +1,5 @@
-from flask import render_template, current_app
+from flask import render_template, current_app, url_for, redirect, request
+from flask_wtf.csrf import CSRFError
 import werkzeug.exceptions as werkzeug_exceptions
 
 import atst.domain.exceptions as exceptions
@@ -23,6 +24,11 @@ def make_error_pages(app):
         log_error(e)
         return render_template("error.html", message="Log in Failed"), 401
 
+    @app.errorhandler(CSRFError)
+    def session_expired(e):
+        log_error(e)
+        return redirect(url_for("atst.root", sessionExpired=True, next=request.path))
+
     @app.errorhandler(Exception)
     # pylint: disable=unused-variable
     def exception(e):
diff --git a/templates/login.html b/templates/login.html
index e2efface..db1150c2 100644
--- a/templates/login.html
+++ b/templates/login.html
@@ -11,6 +11,12 @@
       <div class='col'>
 
         <div class='login-banner'>
+          {% if request.args.get("sessionExpired") %}
+            {{ Alert('Session Expired',
+                message='Your session expired due to inactivity. Please log in again to continue.',
+                level='error'
+            ) }}
+          {% endif %}
           <h1 class="login-banner__heading">Access the JEDI Cloud</h1>
 
           <img class="login-banner__logo" src="{{url_for('static', filename='img/ccpo-logo.svg')}}" alt="Cloud Computing Program Office Logo">
diff --git a/tests/routes/test_errors.py b/tests/routes/test_errors.py
new file mode 100644
index 00000000..1eb4091f
--- /dev/null
+++ b/tests/routes/test_errors.py
@@ -0,0 +1,14 @@
+
+def test_csrf_error(app, client):
+    app.config.update({"WTF_CSRF_ENABLED": True})
+
+    response = client.post(
+        "/requests/new/1",
+        headers={ "Content-Type": "application/x-www-form-urlencoded" },
+        data="csrf_token=invalid_token",
+        follow_redirects=True,
+    )
+
+    body = response.data.decode()
+    assert "Session Expired" in body
+    assert "Log in Required" in body