* whack the default domain cookie if we see an attempt to invalidate

2014-03-21 16:20:34 +00:00 · 2014-03-21 16:20:34 +00:00 · 2306948f9c
parent 4aece93b87
commit 2306948f9c
4 changed files with 72 additions and 0 deletions
--- a/web/lib/middlewares/clear_duplicated_session.rb
+++ b/web/lib/middlewares/clear_duplicated_session.rb
@ -14,6 +14,21 @@ module Middlewares
    def call(env)
      status, headers, body = @app.call(env)

+      headers.each do|k,v|
+        if k == 'Set-Cookie' && v.start_with?(get_session_key(env))
+          bits = v.split(';')
+          if bits.length > 0
+            cookie_name_value = bits[0].split('=')
+            if cookie_name_value.length == 1 && Rails.application.config.session_cookie_domain
+              # this path indicates there is no value for the remember_token, i.e., it's being deleted
+              ::Rack::Utils.set_cookie_header!(
+                    headers, # contains response headers
+                    get_session_key(env), # gets the cookie session name, '_session_cookie' - for this example
+                    { :value => '', :path => '/', :expires => Time.at(0) })
+            end
+          end
+        end
+      end
      if there_are_more_than_one_session_key_in_cookies?(env)
        delete_session_cookie_for_current_domain(env, headers)
      end
--- a/web/spec/features/profile_menu_spec.rb
+++ b/web/spec/features/profile_menu_spec.rb
@ -52,6 +52,15 @@ describe "Profile Menu", :js => true, :type => :feature, :capybara_feature => tr
      it { should have_selector('h2',    text: 'audio profiles:') }
    end

+    describe "Sign Out" do
+
+      before(:each) do
+        click_link 'Sign Out'
+      end
+
+      it { should_be_logged_out }
+    end
+
    describe "Download App link" do

      before(:each) do
--- a/web/spec/features/signin_spec.rb
+++ b/web/spec/features/signin_spec.rb
@ -175,5 +175,43 @@ describe "signin" do

      delete_called.should be_true
    end
+
+
+    it "signout" do
+
+      sign_in_poltergeist(user)
+
+      sign_out_poltergeist
+    end
+
+
+    it "signout with custom domain for cookie" do
+      sign_in_poltergeist(user)
+      original = Rails.application.config.session_cookie_domain
+
+      begin
+        Rails.application.config.session_cookie_domain = '.127.0.0.1'
+        page.driver.set_cookie(:remember_token, user.remember_token, domain: '127.0.0.1')
+        sign_out_poltergeist
+      ensure
+        Rails.application.config.session_cookie_domain = original
+      end
+
+    end
+
+
+
+    it "can't signout with custom domain for cookie" do
+      sign_in_poltergeist(user)
+      original = Rails.application.config.session_cookie_domain
+
+      begin
+        Rails.application.config.session_cookie_domain = 'blah'
+        sign_out_poltergeist
+      ensure
+        Rails.application.config.session_cookie_domain = original
+      end
+    end
  end
+
 end
--- a/web/spec/support/utilities.rb
+++ b/web/spec/support/utilities.rb
@ -95,6 +95,7 @@ def sign_in_poltergeist(user)
  wait_until_curtain_gone
 end

+
 def sign_out()
  if Capybara.javascript_driver == :poltergeist
    page.driver.remove_cookie(:remember_token)
@ -103,6 +104,15 @@ def sign_out()
  end
 end

+def sign_out_poltergeist(options = {})
+  find('.userinfo').hover()
+  click_link 'Sign Out'
+  should_be_logged_out if options[:validate]
+end
+
+def should_be_logged_out
+  find('h1', text: 'Play music together over the Internet as if in the same room')
+end

 def leave_music_session_sleep_delay
  # add a buffer to ensure WSG has enough time to expire