Skip to content

Commit

Permalink
Merge pull request #136 from mitodl/jkachel/fix-session-invalidation
Browse files Browse the repository at this point in the history 
Update the session invalidation code
  • Loading branch information
@jkachel
jkachel authored Sep 19, 2024
2 parents 2106fb3 + e445681 commit f92ea1a
Show file tree
Hide file tree
Showing 2 changed files with 20 additions and 17 deletions.
6 changes: 6 additions & 0 deletions authentication/api.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,12 @@ def get_user_from_apisix_headers(request):

decoded_headers = decode_apisix_headers(request)

if request.user.is_authenticated:
log.debug(
"get_user_from_apisix_headers: existing session found for user %s",
request.user.username,
)

if not decoded_headers:
return None

Expand Down
31 changes: 14 additions & 17 deletions unified_ecommerce/middleware.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@

import logging

from django.contrib.auth import login
from django.contrib.auth import login, logout
from django.contrib.auth.middleware import RemoteUserMiddleware
from django.core.exceptions import ImproperlyConfigured

Expand All @@ -28,26 +28,23 @@ def process_request(self, request):
apisix_user = get_user_from_apisix_headers(request)
except KeyError:
if self.force_logout_if_no_header and request.user.is_authenticated:
self._remove_invalid_user(request)
logout(request)
return

if request.user.is_authenticated:
# The user is authenticated but like the RemoteUserMiddleware we
# should now check and make sure the user APISIX is passing is
# the same user.
if apisix_user:
if request.user.is_authenticated and request.user != apisix_user:
# The user is authenticated, but doesn't match the user we got
# from APISIX. So, log them out so the APISIX user takes
# precedence.

if request.user != apisix_user:
self._remove_invalid_user(request)
logout(request)

return

if not apisix_user:
self._remove_invalid_user(request)

return

request.user = apisix_user
login(request, apisix_user, backend="django.contrib.auth.backends.ModelBackend")
request.user = apisix_user
login(
request,
apisix_user,
backend="django.contrib.auth.backends.ModelBackend",
)

return

Expand Down

0 comments on commit f92ea1a

Please sign in to comment.