Skip to content

Commit

Permalink
Merge pull request #1778 from cisagov/dk/1506-logout-error
Browse files Browse the repository at this point in the history
Issue #1506: handle logout when no session is present
  • Loading branch information
dave-kennedy-ecs authored Feb 14, 2024
2 parents 93e0c99 + f5a1348 commit d6b1744
Show file tree
Hide file tree
Showing 2 changed files with 26 additions and 1 deletion.
21 changes: 21 additions & 0 deletions src/djangooidc/tests/test_views.py
Original file line number Diff line number Diff line change
Expand Up @@ -327,6 +327,27 @@ def test_logout_redirect_url(self, mock_client):
self.assertEqual(response.status_code, 302)
self.assertEqual(actual, expected)

def test_logout_redirect_url_with_no_session_state(self, mock_client):
"""Test that logout redirects to the configured post_logout_redirect_uris."""
with less_console_noise():
# MOCK
mock_client.callback.side_effect = self.user_info
mock_client.registration_response = {"post_logout_redirect_uris": ["http://example.com/back"]}
mock_client.provider_info = {"end_session_endpoint": "http://example.com/log_me_out"}
mock_client.client_id = "TEST"
# TEST
with less_console_noise():
response = self.client.get(reverse("logout"))
# ASSERTIONS
# Assert redirect code and url are accurate
expected = (
"http://example.com/log_me_out?client_id=TEST"
"&post_logout_redirect_uri=http%3A%2F%2Fexample.com%2Fback"
)
actual = response.url
self.assertEqual(response.status_code, 302)
self.assertEqual(actual, expected)

@patch("djangooidc.views.auth_logout")
def test_logout_always_logs_out(self, mock_logout, _):
"""Without additional mocking, logout will always fail.
Expand Down
6 changes: 5 additions & 1 deletion src/djangooidc/views.py
Original file line number Diff line number Diff line change
Expand Up @@ -145,8 +145,12 @@ def logout(request, next_page=None):
user = request.user
request_args = {
"client_id": CLIENT.client_id,
"state": request.session["state"],
}
# if state is not in request session, still redirect to the identity
# provider's logout url, but don't include the state in the url; this
# will successfully log out of the identity provider
if "state" in request.session:
request_args["state"] = request.session["state"]
if (
"post_logout_redirect_uris" in CLIENT.registration_response.keys()
and len(CLIENT.registration_response["post_logout_redirect_uris"]) > 0
Expand Down

0 comments on commit d6b1744

Please sign in to comment.