From 7fdd9b14818baba148cd346efb59464a95fa8e30 Mon Sep 17 00:00:00 2001
From: James Kachel <jkachel@mit.edu>
Date: Wed, 18 Sep 2024 09:42:34 -0400
Subject: [PATCH 1/2] Update the session invalidation code

This was using _remove_invalid_user from the upstream RemoteUserBackend middleware - but that only works if the middleware is specifically RemoteUserBackend, so now instead log them out using auth.logout.

I am not real sure how I managed to hit this so this is hard to test, but I did manage to get into a different user's session.
---
 authentication/api.py           | 6 ++++++
 unified_ecommerce/middleware.py | 8 ++++----
 2 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/authentication/api.py b/authentication/api.py
index d2f15c92..8029e2fe 100644
--- a/authentication/api.py
+++ b/authentication/api.py
@@ -55,6 +55,12 @@ def get_user_from_apisix_headers(request):
 
     decoded_headers = decode_apisix_headers(request)
 
+    if request.user.is_authenticated:
+        log.debug(
+            "get_user_from_apisix_headers: existing session found for user %s",
+            request.user.username,
+        )
+
     if not decoded_headers:
         return None
 
diff --git a/unified_ecommerce/middleware.py b/unified_ecommerce/middleware.py
index d7627ce2..8c1be75f 100644
--- a/unified_ecommerce/middleware.py
+++ b/unified_ecommerce/middleware.py
@@ -2,7 +2,7 @@
 
 import logging
 
-from django.contrib.auth import login
+from django.contrib.auth import login, logout
 from django.contrib.auth.middleware import RemoteUserMiddleware
 from django.core.exceptions import ImproperlyConfigured
 
@@ -28,7 +28,7 @@ def process_request(self, request):
             apisix_user = get_user_from_apisix_headers(request)
         except KeyError:
             if self.force_logout_if_no_header and request.user.is_authenticated:
-                self._remove_invalid_user(request)
+                logout(request)
             return
 
         if request.user.is_authenticated:
@@ -37,12 +37,12 @@ def process_request(self, request):
             # the same user.
 
             if request.user != apisix_user:
-                self._remove_invalid_user(request)
+                logout(request)
 
             return
 
         if not apisix_user:
-            self._remove_invalid_user(request)
+            logout(request)
 
             return
 

From e44568169c6f86dd37ceb31a698e5dc46cdf9184 Mon Sep 17 00:00:00 2001
From: James Kachel <jkachel@mit.edu>
Date: Wed, 18 Sep 2024 10:08:36 -0400
Subject: [PATCH 2/2] Simplify some more stuff here, don't kill session if it
 was established outside the API gateway

---
 unified_ecommerce/middleware.py | 25 +++++++++++--------------
 1 file changed, 11 insertions(+), 14 deletions(-)

diff --git a/unified_ecommerce/middleware.py b/unified_ecommerce/middleware.py
index 8c1be75f..10068c69 100644
--- a/unified_ecommerce/middleware.py
+++ b/unified_ecommerce/middleware.py
@@ -31,23 +31,20 @@ def process_request(self, request):
                 logout(request)
             return
 
-        if request.user.is_authenticated:
-            # The user is authenticated but like the RemoteUserMiddleware we
-            # should now check and make sure the user APISIX is passing is
-            # the same user.
+        if apisix_user:
+            if request.user.is_authenticated and request.user != apisix_user:
+                # The user is authenticated, but doesn't match the user we got
+                # from APISIX. So, log them out so the APISIX user takes
+                # precedence.
 
-            if request.user != apisix_user:
                 logout(request)
 
-            return
-
-        if not apisix_user:
-            logout(request)
-
-            return
-
-        request.user = apisix_user
-        login(request, apisix_user, backend="django.contrib.auth.backends.ModelBackend")
+            request.user = apisix_user
+            login(
+                request,
+                apisix_user,
+                backend="django.contrib.auth.backends.ModelBackend",
+            )
 
         return