Better remote logged out experience

remotely signed-out users should be redirected to signon without additional clicks, or realising that they have been remotely signed-out. also fixes the bug where a remotely signed-out user has signed-in again but the downstream app doesn't realise it.
alphagov · Jan 28, 2014 · abe2456 · alext · Jan 28, 2014 · abe2456
1 parent c1e7f30
commit abe2456
Show file tree

Hide file tree

Showing 5 changed files with 12 additions and 20 deletions.
diff --git a/lib/gds-sso/controller_methods.rb b/lib/gds-sso/controller_methods.rb
@@ -31,11 +31,6 @@ def require_signin_permission!
       end
 
       def authenticate_user!
-        if user_remotely_signed_out?
-          message = "You have been remotely signed out."
-          skip_slimmer
-          render "authorisations/unauthorised", layout: "unauthorised", status: :forbidden, locals: { message: message }
-        end
         warden.authenticate!
       end
 

diff --git a/lib/gds-sso/warden_config.rb b/lib/gds-sso/warden_config.rb
@@ -27,7 +27,7 @@ def logger
   # This will reject old sessions that don't have an auth_set time
   uid, auth_set = tuple
   if auth_set and (auth_set + GDS::SSO::Config.auth_valid_for) > Time.now.utc
-    GDS::SSO::Config.user_klass.where(:uid => uid).first
+    GDS::SSO::Config.user_klass.where(:uid => uid, :remotely_signed_out => false).first
   else
     nil
   end

diff --git a/spec/requests/end_to_end_spec.rb b/spec/requests/end_to_end_spec.rb
@@ -87,28 +87,24 @@
         page.driver.header 'accept', 'text/html'
         page.should have_content('restricted kablooie')
 
-        # Simulate a POST to /auth/gds/api/users/:uid/reauth by SOOT
+        # logout from signon
+        visit "http://localhost:4567/users/sign_out"
+
+        # Simulate a POST to /auth/gds/api/users/:uid/reauth by signon
         # This is already tested in api_user_controller_spec.rb
-        user = User.where(:uid => "integration-uid").first
+        user = User.where(:email => "test@example-client.com").first
         user.set_remotely_signed_out!
 
-        page.driver.header 'accept', 'text/html'
-
-        # check we can't visit
+        # attempt to visit a restricted page
         visit "http://#{@client_host}/restricted"
-        page.should have_content('You have been remotely signed out')
 
-        # signin
-        visit "http://#{@client_host}/auth/gds/sign_out" # want to be redirected to SOOT, and then back again
-        # Workaround Devise treating us like we're not HTML by manually signin in
-        # If we weren't signed out, we wouldn't get the login form, we'd get the dashboard.
-        visit "http://localhost:4567/users/sign_in"
+        # be redirected to signon
+        page.should have_content('GOV.UK Signon')
         fill_in "Email", :with => "test@example-client.com"
         fill_in "Passphrase", :with => "q1w2e3r4t5y6u7i8o9p0"
         click_on "Sign in"
 
-        # check we can visit
-        visit "http://#{@client_host}/restricted"
+        # then back again to the restricted page
         page.should have_content('restricted kablooie')
       end
     end

diff --git a/spec/tasks/signonotron_tasks.rake b/spec/tasks/signonotron_tasks.rake
@@ -31,6 +31,7 @@ namespace :signonotron do
       end
       env_stuff += " RAILS_ENV=test"
 
+      puts "Running bundler"
       puts `#{env_stuff} bundle install --path=#{gem_root + 'tmp' + "#{@app_to_launch}_bundle"}`
       FileUtils.cp gem_root.join('spec', 'fixtures', 'integration', "#{@app_to_launch}_database.yml"), File.join('config', 'database.yml')
       puts `#{env_stuff} bundle exec rake db:drop db:create db:schema:load`

diff --git a/test/session_serialisation_test.rb b/test/session_serialisation_test.rb
@@ -33,7 +33,7 @@ def test_serializing_a_user_without_a_uid_returns_nil
   end
 
   def test_deserializing_a_user_and_in_date_timestamp_returns_the_user
-    User.expects(:where).with(:uid => 1234).returns(stub(:first => :a_user))
+    User.expects(:where).with(:uid => 1234, :remotely_signed_out => false).returns(stub(:first => :a_user))
 
     result = @serializer.deserialize [1234, Time.now.utc - GDS::SSO::Config.auth_valid_for + 3600]