FIX: do not create superflous sessions when logged on

In some SSO implementations we may want to issue SSO pipelines for
already logged on users

In these cases do not re-log-in a user if they are clearly logged on

app/controllers/session_controller.rb

@@ -153,7 +153,9 @@ class SessionController < ApplicationController
           if SiteSetting.verbose_sso_logging
             Rails.logger.warn("Verbose SSO log: User was logged on #{user.username}\n\n#{sso.diagnostics}")
           end
-          log_on_user user
+          if user.id != current_user&.id
+            log_on_user user
+          end
         end
 
         # If it's not a relative URL check the host

spec/requests/session_controller_spec.rb

@@ -286,6 +286,23 @@ RSpec.describe SessionController do
       sso
     end
 
+    it 'does not create superflous auth tokens when already logged in' do
+      user = Fabricate(:user)
+      sign_in(user)
+
+      sso = get_sso("/")
+      sso.email = user.email
+      sso.external_id = 'abc'
+      sso.username = 'sam'
+
+      expect do
+        get "/session/sso_login", params: Rack::Utils.parse_query(sso.payload), headers: headers
+        logged_on_user = Discourse.current_user_provider.new(request.env).current_user
+        expect(logged_on_user.id).to eq(user.id)
+      end.not_to change { UserAuthToken.count }
+
+    end
+
     it 'can take over an account' do
       sso = get_sso("/")
       user = Fabricate(:user)