Fixed end-session when user are already disconnected

2022-07-07 16:28:28 +02:00 · 2022-07-07 16:28:28 +02:00 · db0fd2d8ba
commit db0fd2d8ba
parent 5b31da36ce
3 changed files with 23 additions and 0 deletions
--- a/CHANGES.rst
+++ b/CHANGES.rst
@ -10,6 +10,7 @@ Fixed
 *****

 - The consent page was displaying scopes not supported by clients. :pr:`56`
+- Fixed end session when user are already disconnected.

 [0.0.9] - 2022-06-05
 ====================
--- a/canaille/oidc/oauth.py
+++ b/canaille/oidc/oauth.py
@ -242,6 +242,9 @@ def end_session():
    data = CombinedMultiDict((request.args, request.form))
    user = current_user()

+    if not user:
+        return redirect(url_for("account.index"))
+
    form = LogoutForm(request.form)
    form.action = url_for("oidc.oauth.end_session_submit")

--- a/tests/oidc/test_end_session.py
+++ b/tests/oidc/test_end_session.py
@ -329,3 +329,22 @@ def test_no_jwt_bad_csrf(testclient, slapd_connection, logged_user, client):
    assert res.location.startswith(post_logout_redirect_url)

    testclient.get(f"/profile/{logged_user.uid[0]}", status=403)
+
+
+def test_end_session_already_disconnected(
+    testclient, slapd_connection, user, client, id_token
+):
+    post_logout_redirect_url = "https://mydomain.tld/disconnected"
+    res = testclient.get(
+        "/oauth/end_session",
+        params={
+            "id_token_hint": id_token,
+            "logout_hint": user.uid[0],
+            "client_id": client.client_id,
+            "post_logout_redirect_uri": post_logout_redirect_url,
+            "state": "foobar",
+        },
+        status=302,
+    )
+
+    assert res.location == "/"