views: clean FranceConnect session variable on unlink (#32953)

2019-05-16 17:58:17 +02:00 · 2019-05-16 17:58:17 +02:00 · 2da033c409
parent beca608c97
commit 2da033c409
1 changed files with 9 additions and 4 deletions
--- a/src/authentic2_auth_fc/views.py
+++ b/src/authentic2_auth_fc/views.py
@ -149,6 +149,13 @@ def access_token_from_request(request, logger):
 ACCESS_GRANT_CODE = 'accessgrantcode'


+def clean_fc_session(session):
+    session.pop('fc_id_token', None)
+    session.pop('fc_id_token_raw', None)
+    session.pop('fc_user_info', None)
+    session.pop('fc_data', None)
+
+
 class FcOAuthSessionViewMixin(LoggerMixin):
    '''Add the OAuth2 dance to a view'''
    scopes = ['openid', 'profile', 'birth', 'email']
@ -510,6 +517,7 @@ class UnlinkView(LoggerMixin, FormView):
        if app_settings.logout_when_unlink:
            # logout URL can be None if not session exists with FC
            url = utils.build_logout_url(self.request, next_url=url) or url
+        clean_fc_session(self.request.session)
        return url

    def get_form_class(self):
@ -574,10 +582,7 @@ unlink = UnlinkView.as_view()
 class LogoutReturnView(View):
    def get(self, request, *args, **kwargs):
        state = request.GET.get('state')
-        request.session.pop('fc_id_token', None)
-        request.session.pop('fc_id_token_raw', None)
-        request.session.pop('fc_user_info', None)
-        request.session.pop('fc_data', None)
+        clean_fc_session(request.session)
        states = request.session.pop('fc_states', None)
        next_url = None
        if states and state in states: