FIX: do not create superflous sessions when logged on

In some SSO implementations we may want to issue SSO pipelines for already logged on users In these cases do not re-log-in a user if they are clearly logged on
2018-11-01 12:54:01 +11:00 · 2018-11-01 12:54:01 +11:00 · aa044623bd
parent 0084b0c26e
commit aa044623bd
2 changed files with 20 additions and 1 deletions
--- a/app/controllers/session_controller.rb
+++ b/app/controllers/session_controller.rb
@ -153,8 +153,10 @@ class SessionController < ApplicationController
          if SiteSetting.verbose_sso_logging
            Rails.logger.warn("Verbose SSO log: User was logged on #{user.username}\n\n#{sso.diagnostics}")
          end
+          if user.id != current_user&.id
            log_on_user user
          end
+        end

        # If it's not a relative URL check the host
        if return_path !~ /^\/[^\/]/
--- a/spec/requests/session_controller_spec.rb
+++ b/spec/requests/session_controller_spec.rb
@ -286,6 +286,23 @@ RSpec.describe SessionController do
      sso
    end

+    it 'does not create superflous auth tokens when already logged in' do
+      user = Fabricate(:user)
+      sign_in(user)
+
+      sso = get_sso("/")
+      sso.email = user.email
+      sso.external_id = 'abc'
+      sso.username = 'sam'
+
+      expect do
+        get "/session/sso_login", params: Rack::Utils.parse_query(sso.payload), headers: headers
+        logged_on_user = Discourse.current_user_provider.new(request.env).current_user
+        expect(logged_on_user.id).to eq(user.id)
+      end.not_to change { UserAuthToken.count }
+
+    end
+
    it 'can take over an account' do
      sso = get_sso("/")
      user = Fabricate(:user)