Merge pull request #6 from RadiusNetworks/cache-cookie

Handle the user cache cookie on public pages

Author: csexton

Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    kracken (0.0.9)
+    kracken (0.0.10)
       faraday (~> 0.8)
       omniauth (~> 1.0)
       omniauth-oauth2 (~> 1.1)
@@ -55,21 +55,20 @@ GEM
     erubis (2.7.0)
     faraday (0.9.1)
       multipart-post (>= 1.2, < 3)
-    globalid (0.3.3)
+    globalid (0.3.5)
       activesupport (>= 4.1.0)
-    hashie (3.4.0)
-    hike (1.2.3)
+    hashie (3.4.1)
     i18n (0.7.0)
     json (1.8.2)
     jwt (1.4.1)
-    loofah (2.0.1)
+    loofah (2.0.2)
       nokogiri (>= 1.5.9)
     mail (2.6.3)
       mime-types (>= 1.16, < 3)
     method_source (0.8.2)
-    mime-types (2.4.3)
+    mime-types (2.5)
     mini_portile (0.6.2)
-    minitest (5.5.1)
+    minitest (5.6.1)
     multi_json (1.11.0)
     multi_xml (0.5.5)
     multipart-post (2.0.0)
@@ -84,9 +83,7 @@ GEM
     omniauth (1.2.2)
       hashie (>= 1.2, < 4)
       rack (~> 1.0)
-    omniauth-oauth2 (1.2.0)
-      faraday (>= 0.8, < 0.10)
-      multi_json (~> 1.3)
+    omniauth-oauth2 (1.3.0)
       oauth2 (~> 1.0)
       omniauth (~> 1.2)
     pry (0.10.1)
@@ -95,7 +92,7 @@ GEM
       slop (~> 3.4)
     pry-nav (0.2.4)
       pry (>= 0.9.10, < 0.11.0)
-    rack (1.6.0)
+    rack (1.6.1)
     rack-test (0.6.3)
       rack (>= 1.0)
     rails (4.2.1)
@@ -142,18 +139,14 @@ GEM
     rspec-support (3.2.2)
     safe_yaml (1.0.4)
     slop (3.6.0)
-    sprockets (2.12.3)
-      hike (~> 1.2)
-      multi_json (~> 1.0)
+    sprockets (3.0.3)
       rack (~> 1.0)
-      tilt (~> 1.1, != 1.3.0)
     sprockets-rails (2.2.4)
       actionpack (>= 3.0)
       activesupport (>= 3.0)
       sprockets (>= 2.8, < 4.0)
     thor (0.19.1)
     thread_safe (0.3.5)
-    tilt (1.4.1)
     tzinfo (1.2.2)
       thread_safe (~> 0.1)
     webmock (1.20.4)

app/controllers/kracken/sessions_controller.rb

@@ -1,6 +1,7 @@
 module Kracken
   class SessionsController < ApplicationController
     skip_before_filter :authenticate_user!, except: [:index]
+    skip_before_filter :handle_user_cache_cookie!, except: [:index]
 
     def index
     end

lib/kracken/controllers/authenticatable.rb

@@ -4,6 +4,7 @@ module Authenticatable
 
       def self.included(base)
         base.instance_exec do
+          before_action :handle_user_cache_cookie!
           before_action :authenticate_user!
           helper_method :sign_out_path, :sign_up_path, :sign_in_path,
                         :current_user, :user_signed_in?
@@ -33,9 +34,7 @@ def authenticate_user
       end
 
       def authenticate_user!
-        if user_signed_in?
-          handle_user_cache_cookie
-        else
+        unless user_signed_in?
           if request.format == :json
             render json: {error: '401 Unauthorized'}, status: :unauthorized
           else
@@ -44,6 +43,43 @@ def authenticate_user!
         end
       end
 
+      # We needed a way to update the user information on kracken and
+      # automatically update all the client apps. Instead of pushing changes
+      # to all the apps we added a cookie that will act as an indicator that
+      # the user is stale and they need to refresh them.
+      #
+      # The refresh is accomplished by redirecting to the normal oauth flow
+      # which will simply redirect the back if they are already signed in (or
+      # ask for a user/pass if they are not).
+      #
+      # This method will:
+      #
+      #  - Check for the `_radius_user_cache_key` tld cookie
+      #  - If the key is "none" log them out
+      #  - Compare it to the `user_cache_key` in the session
+      #  - If they don't match, redirect them to the oauth provider and
+      #    delete the cookie
+      #
+      def handle_user_cache_cookie!
+        if cookies[:_radius_user_cache_key]
+          if cookies[:_radius_user_cache_key] == "none"
+            # Sign out current user
+            session.delete :user_id
+
+            # Clear that user's cache key
+            session.delete :user_cache_key
+
+          elsif session[:user_cache_key] != cookies[:_radius_user_cache_key]
+            # Delete the cookie to prevent redirect loops
+            cookies.delete :_radius_user_cache_key
+
+            # Redirect to the account app
+            redirect_to_sign_in
+          end
+        end
+      end
+
+
       def current_user=(u)
         @current_user = u
       end
@@ -91,35 +127,6 @@ def redirect_to_sign_in
         end
       end
 
-      # We needed a way to update the user information on kracken and
-      # automatically update all the client apps. Instead of pushing changes
-      # to all the apps we added a cookie that will act as an indicator that
-      # the user is stale and they need to refresh them.
-      #
-      # The refresh is accomplished by redirecting to the normal oauth flow
-      # which will simply redirect the back if they are already signed in (or
-      # ask for a user/pass if they are not).
-      #
-      # This method will:
-      #
-      #  - Check for the `_radius_user_cache_key` tld cookie
-      #  - Compare it to the `user_cache_key` in the session
-      #  - If they don't match, redirect them to the oauth provider and
-      #    delete the cookie
-      #
-      def handle_user_cache_cookie
-        if cookies[:_radius_user_cache_key]
-          if session[:user_cache_key] != cookies[:_radius_user_cache_key]
-            # Delete the cookie to prevent redirect loops
-            cookies.delete :_radius_user_cache_key
-
-            # Redirect to the account app
-            redirect_to_sign_in
-          end
-        end
-      end
-
     end
-
   end
 end

lib/kracken/version.rb

@@ -1,3 +1,3 @@
 module Kracken
-  VERSION = "0.0.9"
+  VERSION = "0.0.10"
 end

spec/kracken/controllers/authenticatable_spec.rb

@@ -93,26 +93,46 @@ class ControllerDouble < BaseControllerDouble
 
 
         context "user cache cookie" do
-          it "redirects when the cache cookie is different than the session" do
+          it "nothing if the cache cookie does not exist" do
             allow(controller).to receive(:request).and_return(double(format: nil, fullpath: nil))
-            allow(controller).to receive(:cookies).and_return({_radius_user_cache_key: "123"})
             allow(controller).to receive(:redirect_to)
+            controller.session[:user_cache_key] = "123"
 
-            controller.authenticate_user!
+            controller.handle_user_cache_cookie!
 
-            expect(controller).to have_received(:redirect_to).with("/")
+            expect(controller).to_not have_received(:redirect_to)
           end
 
-          it "does not redirect when the cache cookie matches the session" do
+          it "signs the current user out when the cache cookie is 'none'" do
             allow(controller).to receive(:request).and_return(double(format: nil, fullpath: nil))
             allow(controller).to receive(:redirect_to)
-
             controller.cookies[:_radius_user_cache_key] = "123"
             controller.session[:user_cache_key] = "123"
 
-            controller.authenticate_user!
+            controller.handle_user_cache_cookie!
+
+            expect(controller).to_not have_received(:redirect_to)
+          end
+
+          it "redirects when the cache cookie is different than the session" do
+            allow(controller).to receive(:request).and_return(double(format: nil, fullpath: nil))
+            allow(controller).to receive(:cookies).and_return({_radius_user_cache_key: "123"})
+            allow(controller).to receive(:redirect_to)
+            controller.handle_user_cache_cookie!
+
+            expect(controller).to have_received(:redirect_to).with("/")
+          end
+
+          it "does not redirect when the cache cookie matches the session" do
+            controller.session = spy
+            allow(controller).to receive(:redirect_to)
+            controller.cookies[:_radius_user_cache_key] = "none"
+
+            controller.handle_user_cache_cookie!
 
             expect(controller).to_not have_received(:redirect_to)
+            expect(controller.session).to have_received(:delete).with(:user_id)
+            expect(controller.session).to have_received(:delete).with(:user_cache_key)
           end
         end
       end