Refactors redis/cookie handling

lankyfrenchman · lankyfrenchman · commit 4f6a0199d1c4 · 2020-08-10T15:43:35.000-04:00
diff --git a/app/controllers/kracken/sessions_controller.rb b/app/controllers/kracken/sessions_controller.rb
@@ -7,7 +7,7 @@ class SessionsController < ActionController::Base
     def create
       @user = user_class.find_or_create_from_auth_hash(auth_hash)
       session[:user_id] = @user.id
-      session[:user_cache_key] = cookies[:_radius_user_cache_key]
+      session[:user_cache_key] = SESSION_REDIS.get(user_session_key(@user.id))
       session[:token_expires_at] = Time.zone.at(auth_hash[:credentials][:expires_at])
       redirect_to return_to_path
     end
@@ -44,5 +44,9 @@ def signout_redirect_query
       current_root.path = ''
       "?redirect_to=#{CGI.escape(current_root.to_s)}"
     end
+
+    def user_session_key(id)
+      "rnsession:#{id}"
+    end
   end
 end
diff --git a/lib/kracken/controllers/authenticatable.rb b/lib/kracken/controllers/authenticatable.rb
@@ -73,13 +73,11 @@ def check_token_expiry!
       def handle_user_cache_cookie!
         if SESSION_REDIS
           handle_user_cache_cookie_with_redis
-        else
-          if cookies[:_radius_user_cache_key]
-            if cookies[:_radius_user_cache_key] == "none"
-              delete_session_data
-            elsif session[:user_cache_key] != cookies[:_radius_user_cache_key]
-              clear_cache_cookie_and_sign_out
-            end
+        elsif cookies[:_radius_user_cache_key]
+          if cookies[:_radius_user_cache_key] == "none"
+            delete_session_data
+          elsif session[:user_cache_key] != cookies[:_radius_user_cache_key]
+            clear_cache_cookie_and_sign_out
           end
         end
       end
@@ -119,19 +117,23 @@ def user_signed_in?
       private
 
       def handle_user_cache_cookie_with_redis
-        # If the user passes us a cache key cookie:
-        if cookies[:_radius_user_cache_key]
-          expected_val = SESSION_REDIS.get(cookies[:_radius_user_cache_key])
+        return redirect_to_sign_in unless session_present?
+        return if session_and_redis_match?
 
-          # And we do not have that cookie in Redis
-          if !expected_val
-            delete_session_data
-          # Or we have it in Redis, but it may be somebody else's
-          # - it's not what we expect from their session
-          elsif expected_val && expected_val != session[:user_cache_key]
-            clear_cache_cookie_and_sign_out
-          end
-        end
+        delete_session_data
+        redirect_to_sign_in
+      end
+
+      def session_present?
+        session[:user_id] && session[:user_cache_key]
+      end
+
+      def session_and_redis_match?
+        SESSION_REDIS.get(user_session_key(session[:user_id])) == session[:user_cache_key]
+      end
+
+      def user_session_key(id)
+        "rnsession:#{id}"
       end
 
       def delete_session_data
