feat: add invalidate current user pipeline #104
Conversation
andrey-canon
force-pushed
the
and/add_none_user_pipeline
branch
from
1a6eaee to
3552876
Compare
andrey-canon
force-pushed
the
and/add_none_user_pipeline
branch
from
3552876 to
32ee5d1
Compare
| @@ -28,3 +30,28 @@ def social_details(backend, details, response, *args, **kwargs): | |||
| details["details"][key] = response.get(value) | |||
|
|
|||
| return details | |||
|
|
|||
|
|
|||
| def invalidate_current_user(request, *args, user=None, **kwargs): # pylint: disable=unused-argument | |||
There was a problem hiding this comment.
What do u think of
| def invalidate_current_user(request, *args, user=None, **kwargs): # pylint: disable=unused-argument | |
| def logout_current_user(request, *args, user=None, **kwargs): # pylint: disable=unused-argument |
There was a problem hiding this comment.
What do u think of
logout functionality is not the main purpose of this, that is an extra functionality of the pipeline, the main purpose is to set the user to None, however that made me think that I should split this method in order to keep just one responsibility per method
|
@johanv26 saml.mp4 |
| return {} | ||
|
|
||
|
|
||
| def close_active_session(request, *args, user=None, **kwargs): # pylint: disable=unused-argument |
There was a problem hiding this comment.
I have some thoughts about the name because close_active_session is a name that if I put it in the pipeline I ensure that this would close the actual session or do the logout even if the dict has user or not.
There was a problem hiding this comment.
sorry I didn't understand your concern, could you please give more details
There was a problem hiding this comment.
I mean that the name of the function close_active_session covers a lot. So If I added it in a pipeline, I ensured the logout would happen without if statement request.user != user
Maybe close_previous_session_mismatch_user could be another name. Is only an opinion.
There was a problem hiding this comment.
if I understood since the name is close_active_session that should close all the session not matter the user, in this case the pipeline only closes the session if the current user is different from the session user, so what do you think of close_mismatch_session or close_invalid_session ??
There was a problem hiding this comment.
I like close_mismatch_session
Description
This pipeline sets to None the current user in order to avoid invalid associations.
This was implemented due to an unexpected behavior when a user is logged and a different
user tries to authenticate by using a SAML IDP in the same browser, the result is that
instead of having two different accounts the second user is associated to the first user's
account, this behavior is the result of SESSION_COOKIE_SAMESITE = "None" however the
possible fix, SESSION_COOKIE_SAMESITE = "Lax", has not been tested in the whole platform
therefore that can not be implemented yet.
Testing instructions