feat: add invalidate current user pipeline

eduNEXT · Oct 27, 2023 · 1a6eaee · 1a6eaee
1 parent 6f833fd
commit 1a6eaee
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 0 deletions.
diff --git a/eox_nelp/third_party_auth/__init__.py b/eox_nelp/third_party_auth/__init__.py
diff --git a/eox_nelp/auth_pipeline.py → eox_nelp/third_party_auth/pipeline.py b/eox_nelp/auth_pipeline.py → eox_nelp/third_party_auth/pipeline.py
@@ -28,3 +28,26 @@ def social_details(backend, details, response, *args, **kwargs):
         details["details"][key] = response.get(value)
 
     return details
+
+
+def invalidate_current_user(user=None, *args, **kwargs):
+    """This pipeline sets to None the current user in order to avoid invalid associations.
+
+    This was implemented due to an unexpected behavior when a user is logged and a different
+    user tries to authenticate by using a SAML IDP in the same browser, the result is that
+    instead of having two different accounts the second user is associated to the first user's
+    account, this behavior is the result of SESSION_COOKIE_SAMESITE = "None" however the
+    possible fix, SESSION_COOKIE_SAMESITE = "Lax", has not been tested in the whole platform
+    therefore that can not be implemented yet.
+
+    **NOTE**
+        * This MUST be the first pipeline.
+        * This just has been tested in the NELP environment where the linked accounts feature
+         was deactivated.
+    """
+    if user:
+        return {
+            "user": None
+        }
+
+    return {}