fix(nbp): clear session after successful finalize action

Previously, the session was kept intact including the SAML information. This allowed users to return to the connect page, since they were still partially signed in. However, no visual indicator was shown for that state.

We decided not to initiate the Single Log-Out via SAML or a regular logout due to the potentially increased complexity and interferences with the NBP IdP.

Author: MrSerth

app/controllers/users/nbp_wallet_controller.rb

@@ -63,6 +63,7 @@ def accept_and_create_user(relationship) # rubocop:disable Metrics/AbcSize
 
         if relationship.accept!
           user.send_confirmation_instructions
+          session.clear # Clear the session to prevent the user from accessing the NBP Wallet page again
           redirect_to home_index_path, notice: t('devise.registrations.signed_up_but_unconfirmed')
         else
           abort_and_refresh(relationship)

spec/requests/users/nbp_wallet/finalize_spec.rb

@@ -42,6 +42,11 @@
       expect(User.order(:created_at).last).not_to be_confirmed
     end
 
+    it 'clears the session' do
+      finalize_request
+      expect(session.keys).to contain_exactly('flash')
+    end
+
     it 'asks the user to verify the email address' do
       finalize_request
       expect(response).to redirect_to home_index_path
@@ -72,6 +77,11 @@
       it 'does not send a confirmation mail' do
         expect { finalize_request }.not_to change(ActionMailer::Base, :deliveries)
       end
+
+      it 'does not clear the session' do
+        finalize_request
+        expect(session.keys).to include('flash', 'omniauth_provider', 'saml_uid', 'session_id')
+      end
     end
 
     shared_examples 'a documented erroneous request' do |error|