Merge pull request #892 from alphagov/enforce-logout

Enforce logout
alphagov · Jun 6, 2024 · 2bc0269 · 2bc0269
2 parents 5cde8b5 + de4e139
commit 2bc0269
Show file tree

Hide file tree

Showing 4 changed files with 34 additions and 3 deletions.
diff --git a/app/controllers/concerns/authenticated_api_concern.rb b/app/controllers/concerns/authenticated_api_concern.rb
@@ -10,14 +10,17 @@ module AuthenticatedApiConcern
         session_secret: Rails.application.credentials.session_secret,
       )
 
-      head :unauthorized unless @govuk_account_session
+      if @govuk_account_session
+        head :unauthorized if LogoutNotice.find(@govuk_account_session.user_id)
+      else
+        head :unauthorized
+      end
     end
 
     rescue_from AccountSession::ReauthenticateUserError do
       head :unauthorized
     end
   end
-
   def render_api_response(options = {})
     render json: options.merge(govuk_account_session: @govuk_account_session.serialise)
   end

diff --git a/app/controllers/personalisation_controller.rb b/app/controllers/personalisation_controller.rb
@@ -8,7 +8,11 @@ class PersonalisationController < ApplicationController
       session_secret: Rails.application.credentials.session_secret,
     )
 
-    end_session! unless @govuk_account_session
+    if @govuk_account_session
+      end_session! if LogoutNotice.find(@govuk_account_session.user_id)
+    else
+      end_session!
+    end
   end
 
   before_action :set_caching_headers

diff --git a/spec/requests/check_email_subscription_spec.rb b/spec/requests/check_email_subscription_spec.rb
@@ -66,6 +66,18 @@
         end
       end
 
+      context "when a logout notice exists for that sub" do
+        before do
+          Redis.current.flushdb
+          Redis.current.set("logout-notice/#{sub}", Time.zone.now)
+        end
+
+        it "logs the user out" do
+          get(personalisation_check_email_subscription_path, params:, headers:)
+          expect(response).to have_http_status(:unauthorized)
+        end
+      end
+
       context "when a base_path is passed" do
         let(:base_path) { "/foo" }
         let(:subscription_slug) { "foo" }

diff --git a/spec/requests/user_spec.rb b/spec/requests/user_spec.rb
@@ -20,6 +20,18 @@
 
   let(:response_body) { JSON.parse(response.body) }
 
+  context "when a logout notice exists for that sub" do
+    before do
+      Redis.current.flushdb
+      Redis.current.set("logout-notice/#{session_identifier.user_id}", Time.zone.now)
+    end
+
+    it "logs the user out" do
+      get("/api/user", headers:)
+      expect(response).to have_http_status(:unauthorized)
+    end
+  end
+
   it "returns 200 OK" do
     get("/api/user", headers:)
     expect(response).to be_successful