From aa044623bdb7a4e5f7f6425957376e33d3b81a3c Mon Sep 17 00:00:00 2001 From: Sam Date: Thu, 1 Nov 2018 12:54:01 +1100 Subject: [PATCH] FIX: do not create superflous sessions when logged on In some SSO implementations we may want to issue SSO pipelines for already logged on users In these cases do not re-log-in a user if they are clearly logged on --- app/controllers/session_controller.rb | 4 +++- spec/requests/session_controller_spec.rb | 17 +++++++++++++++++ 2 files changed, 20 insertions(+), 1 deletion(-) diff --git a/app/controllers/session_controller.rb b/app/controllers/session_controller.rb index af1e761a65f..557ac26d857 100644 --- a/app/controllers/session_controller.rb +++ b/app/controllers/session_controller.rb @@ -153,7 +153,9 @@ class SessionController < ApplicationController if SiteSetting.verbose_sso_logging Rails.logger.warn("Verbose SSO log: User was logged on #{user.username}\n\n#{sso.diagnostics}") end - log_on_user user + if user.id != current_user&.id + log_on_user user + end end # If it's not a relative URL check the host diff --git a/spec/requests/session_controller_spec.rb b/spec/requests/session_controller_spec.rb index 3453d5f82d7..fe90aea97e0 100644 --- a/spec/requests/session_controller_spec.rb +++ b/spec/requests/session_controller_spec.rb @@ -286,6 +286,23 @@ RSpec.describe SessionController do sso end + it 'does not create superflous auth tokens when already logged in' do + user = Fabricate(:user) + sign_in(user) + + sso = get_sso("/") + sso.email = user.email + sso.external_id = 'abc' + sso.username = 'sam' + + expect do + get "/session/sso_login", params: Rack::Utils.parse_query(sso.payload), headers: headers + logged_on_user = Discourse.current_user_provider.new(request.env).current_user + expect(logged_on_user.id).to eq(user.id) + end.not_to change { UserAuthToken.count } + + end + it 'can take over an account' do sso = get_sso("/") user = Fabricate(:user)