Handle the user cache cookie on public pages

csexton · csexton · commit e753701fbaab · 2015-05-06T14:36:44.000-04:00
Any pages that didn't require a current user were ignoring the cache
key cookie. This change will look for the existence of that and update
or log out the user as appropriate.

The logic is a bit murky, but with my local testing it appears to work
in all the edge cases, certainly something that could be cleaned
up.
diff --git a/app/controllers/kracken/sessions_controller.rb b/app/controllers/kracken/sessions_controller.rb
@@ -1,6 +1,7 @@
 module Kracken
   class SessionsController < ApplicationController
     skip_before_filter :authenticate_user!, except: [:index]
+    skip_before_filter :handle_user_cache_cookie!, except: [:index]
 
     def index
     end
diff --git a/lib/kracken/controllers/authenticatable.rb b/lib/kracken/controllers/authenticatable.rb
@@ -4,6 +4,7 @@ module Authenticatable
 
       def self.included(base)
         base.instance_exec do
+          before_action :handle_user_cache_cookie!
           before_action :authenticate_user!
           helper_method :sign_out_path, :sign_up_path, :sign_in_path,
                         :current_user, :user_signed_in?
@@ -33,9 +34,7 @@ def authenticate_user
       end
 
       def authenticate_user!
-        if user_signed_in?
-          handle_user_cache_cookie
-        else
+        unless user_signed_in?
           if request.format == :json
             render json: {error: '401 Unauthorized'}, status: :unauthorized
           else
@@ -44,6 +43,43 @@ def authenticate_user!
         end
       end
 
+      # We needed a way to update the user information on kracken and
+      # automatically update all the client apps. Instead of pushing changes
+      # to all the apps we added a cookie that will act as an indicator that
+      # the user is stale and they need to refresh them.
+      #
+      # The refresh is accomplished by redirecting to the normal oauth flow
+      # which will simply redirect the back if they are already signed in (or
+      # ask for a user/pass if they are not).
+      #
+      # This method will:
+      #
+      #  - Check for the `_radius_user_cache_key` tld cookie
+      #  - If the key is "none" log them out
+      #  - Compare it to the `user_cache_key` in the session
+      #  - If they don't match, redirect them to the oauth provider and
+      #    delete the cookie
+      #
+      def handle_user_cache_cookie!
+        if cookies[:_radius_user_cache_key]
+          if cookies[:_radius_user_cache_key] == "none"
+            # Sign out current user
+            session.delete :user_id
+
+            # Clear that user's cache key
+            session.delete :user_cache_key
+
+          elsif session[:user_cache_key] != cookies[:_radius_user_cache_key]
+            # Delete the cookie to prevent redirect loops
+            cookies.delete :_radius_user_cache_key
+
+            # Redirect to the account app
+            redirect_to_sign_in
+          end
+        end
+      end
+
+
       def current_user=(u)
         @current_user = u
       end
@@ -91,35 +127,6 @@ def redirect_to_sign_in
         end
       end
 
-      # We needed a way to update the user information on kracken and
-      # automatically update all the client apps. Instead of pushing changes
-      # to all the apps we added a cookie that will act as an indicator that
-      # the user is stale and they need to refresh them.
-      #
-      # The refresh is accomplished by redirecting to the normal oauth flow
-      # which will simply redirect the back if they are already signed in (or
-      # ask for a user/pass if they are not).
-      #
-      # This method will:
-      #
-      #  - Check for the `_radius_user_cache_key` tld cookie
-      #  - Compare it to the `user_cache_key` in the session
-      #  - If they don't match, redirect them to the oauth provider and
-      #    delete the cookie
-      #
-      def handle_user_cache_cookie
-        if cookies[:_radius_user_cache_key]
-          if session[:user_cache_key] != cookies[:_radius_user_cache_key]
-            # Delete the cookie to prevent redirect loops
-            cookies.delete :_radius_user_cache_key
-
-            # Redirect to the account app
-            redirect_to_sign_in
-          end
-        end
-      end
-
     end
-
   end
 end
diff --git a/lib/kracken/version.rb b/lib/kracken/version.rb
@@ -1,3 +1,3 @@
 module Kracken
-  VERSION = "0.0.9"
+  VERSION = "0.0.10"
 end
diff --git a/spec/kracken/controllers/authenticatable_spec.rb b/spec/kracken/controllers/authenticatable_spec.rb
@@ -93,26 +93,46 @@ class ControllerDouble < BaseControllerDouble
 
 
         context "user cache cookie" do
-          it "redirects when the cache cookie is different than the session" do
+          it "nothing if the cache cookie does not exist" do
             allow(controller).to receive(:request).and_return(double(format: nil, fullpath: nil))
-            allow(controller).to receive(:cookies).and_return({_radius_user_cache_key: "123"})
             allow(controller).to receive(:redirect_to)
+            controller.session[:user_cache_key] = "123"
 
-            controller.authenticate_user!
+            controller.handle_user_cache_cookie!
 
-            expect(controller).to have_received(:redirect_to).with("/")
+            expect(controller).to_not have_received(:redirect_to)
           end
 
-          it "does not redirect when the cache cookie matches the session" do
+          it "signs the current user out when the cache cookie is 'none'" do
             allow(controller).to receive(:request).and_return(double(format: nil, fullpath: nil))
             allow(controller).to receive(:redirect_to)
-
             controller.cookies[:_radius_user_cache_key] = "123"
             controller.session[:user_cache_key] = "123"
 
-            controller.authenticate_user!
+            controller.handle_user_cache_cookie!
+
+            expect(controller).to_not have_received(:redirect_to)
+          end
+
+          it "redirects when the cache cookie is different than the session" do
+            allow(controller).to receive(:request).and_return(double(format: nil, fullpath: nil))
+            allow(controller).to receive(:cookies).and_return({_radius_user_cache_key: "123"})
+            allow(controller).to receive(:redirect_to)
+            controller.handle_user_cache_cookie!
+
+            expect(controller).to have_received(:redirect_to).with("/")
+          end
+
+          it "does not redirect when the cache cookie matches the session" do
+            controller.session = spy
+            allow(controller).to receive(:redirect_to)
+            controller.cookies[:_radius_user_cache_key] = "none"
+
+            controller.handle_user_cache_cookie!
 
             expect(controller).to_not have_received(:redirect_to)
+            expect(controller.session).to have_received(:delete).with(:user_id)
+            expect(controller.session).to have_received(:delete).with(:user_cache_key)
           end
         end
       end
