FIX: do not create superflous sessions when logged on

In some SSO implementations we may want to issue SSO pipelines for
already logged on users

In these cases do not re-log-in a user if they are clearly logged on
This commit is contained in:
Sam 2018-11-01 12:54:01 +11:00
parent 0084b0c26e
commit aa044623bd
2 changed files with 20 additions and 1 deletions

View File

@ -153,7 +153,9 @@ class SessionController < ApplicationController
if SiteSetting.verbose_sso_logging
Rails.logger.warn("Verbose SSO log: User was logged on #{user.username}\n\n#{sso.diagnostics}")
end
log_on_user user
if user.id != current_user&.id
log_on_user user
end
end
# If it's not a relative URL check the host

View File

@ -286,6 +286,23 @@ RSpec.describe SessionController do
sso
end
it 'does not create superflous auth tokens when already logged in' do
user = Fabricate(:user)
sign_in(user)
sso = get_sso("/")
sso.email = user.email
sso.external_id = 'abc'
sso.username = 'sam'
expect do
get "/session/sso_login", params: Rack::Utils.parse_query(sso.payload), headers: headers
logged_on_user = Discourse.current_user_provider.new(request.env).current_user
expect(logged_on_user.id).to eq(user.id)
end.not_to change { UserAuthToken.count }
end
it 'can take over an account' do
sso = get_sso("/")
user = Fabricate(:user)