Ensure timeoutable hook respects Devise.sign_out_all_scopes configuration

Closes #2606
2022-11-09 12:18:31 -05:00 · 2013-11-06 21:07:38 +01:00 · 2013-11-06 21:07:38 +01:00 · 27bcefcf54
commit 27bcefcf54
parent 4f1bf8f3f9
4 changed files with 25 additions and 2 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -12,6 +12,7 @@
  * A GET to sign_in page shouldn't extend the session (by @drewish)
  * Splat the arguments to `strong_parameters#permit` to work around a limitation in the `strong_parameters` gem (by @memberful)
  * Omniauth now uses `mapping.fullpath` when generating routes. This means if you call `devise_for :users` inside a scope, like `scope "/api"`, the scope will now apply to the omniauth route (by @AlexanderZaytsev)
+  * Ensure timeoutable hook respects `Devise.sign_out_all_scopes` configuration

 * deprecations
  * `expire_session_data_after_sign_in!` has been deprecated in favor of `expire_data_after_sign_in!`
--- a/lib/devise/hooks/proxy.rb
+++ b/lib/devise/hooks/proxy.rb
@ -6,11 +6,16 @@ module Devise
      include Devise::Controllers::Rememberable
      include Devise::Controllers::SignInOut

-      delegate :cookies, :env, :session, :to => :@warden
+      attr_reader :warden
+      delegate :cookies, :env, :to => :warden

      def initialize(warden)
        @warden = warden
      end
+
+      def session
+        warden.request.session
+      end
    end
  end
 end
--- a/lib/devise/hooks/timeoutable.rb
+++ b/lib/devise/hooks/timeoutable.rb
@ -9,12 +9,15 @@ Warden::Manager.after_set_user do |record, warden, options|

  if record && record.respond_to?(:timedout?) && warden.authenticated?(scope) && options[:store] != false
    last_request_at = warden.session(scope)['last_request_at']
+    proxy = Devise::Hooks::Proxy.new(warden)

    if record.timedout?(last_request_at) && !env['devise.skip_timeout']
-      warden.logout(scope)
+      Devise.sign_out_all_scopes ? proxy.sign_out : sign_out(scope)
+
      if record.respond_to?(:expire_auth_token_on_timeout) && record.expire_auth_token_on_timeout
        record.reset_authentication_token!
      end
+
      throw :warden, :scope => scope, :message => :timeout
    end

--- a/test/integration/timeoutable_test.rb
+++ b/test/integration/timeoutable_test.rb
@ -45,6 +45,20 @@ class SessionTimeoutTest < ActionDispatch::IntegrationTest
    assert_not warden.authenticated?(:user)
  end

+  test 'time out all sessions after default limit time when sign_out_all_scopes is true' do
+    swap Devise, sign_out_all_scopes: true do
+      sign_in_as_admin
+
+      user = sign_in_as_user
+      get expire_user_path(user)
+      assert_not_nil last_request_at
+
+      get root_path
+      assert_not warden.authenticated?(:user)
+      assert_not warden.authenticated?(:admin)
+    end
+  end
+
  test 'time out user session after deault limit time and redirect to latest get request' do
    user = sign_in_as_user
    visit edit_form_user_path(user)