From 4dc8f6aab7b9f31409e20c44f4c2d19e15cc8d08 Mon Sep 17 00:00:00 2001
From: Benjamin Dauvergne <bdauvergne@entrouvert.com>
Date: Thu, 14 Mar 2024 17:10:30 +0100
Subject: [PATCH] misc: remove dead logged-in JSONP endpoint (#88195)

---
 src/authentic2/app_settings.py |  1 -
 src/authentic2/urls.py         |  1 -
 src/authentic2/views.py        | 32 +-------------------------------
 3 files changed, 1 insertion(+), 33 deletions(-)

diff --git a/src/authentic2/app_settings.py b/src/authentic2/app_settings.py
index d992b07a9..7b8bc7ae5 100644
--- a/src/authentic2/app_settings.py
+++ b/src/authentic2/app_settings.py
@@ -177,7 +177,6 @@ default_settings = dict(
         default=True, definition='Check username uniqueness on registration'
     ),
     IDP_BACKENDS=(),
-    VALID_REFERERS=Setting(default=(), definition='List of prefix to match referers'),
     A2_OPENED_SESSION_COOKIE_NAME=Setting(default='A2_OPENED_SESSION', definition='Authentic session open'),
     A2_OPENED_SESSION_COOKIE_DOMAIN=Setting(default=None),
     A2_ATTRIBUTE_KINDS=Setting(default=(), definition='List of other attribute kinds'),
diff --git a/src/authentic2/urls.py b/src/authentic2/urls.py
index cbe1f8981..910b7fe50 100644
--- a/src/authentic2/urls.py
+++ b/src/authentic2/urls.py
@@ -50,7 +50,6 @@ accounts_urlpatterns = [
         views.ValidateDeletionView.as_view(),
         name='validate_deletion',
     ),
-    path('logged-in/', views.logged_in, name='logged-in'),
     path('edit/', views.edit_profile, name='profile_edit'),
     path('edit/required/', views.edit_required_profile, name='profile_required_edit'),
     re_path(r'^edit/(?P<scope>[-\w]+)/$', views.edit_profile, name='profile_edit_with_scope'),
diff --git a/src/authentic2/views.py b/src/authentic2/views.py
index 86ff1e86a..f8609d118 100644
--- a/src/authentic2/views.py
+++ b/src/authentic2/views.py
@@ -33,13 +33,7 @@ from django.db.models import Count
 from django.db.models.query import Q
 from django.db.transaction import atomic
 from django.forms import CharField
-from django.http import (
-    Http404,
-    HttpResponse,
-    HttpResponseBadRequest,
-    HttpResponseForbidden,
-    HttpResponseRedirect,
-)
+from django.http import Http404, HttpResponseBadRequest, HttpResponseRedirect
 from django.shortcuts import get_object_or_404, render
 from django.template import loader
 from django.template.loader import render_to_string
@@ -1074,30 +1068,6 @@ def login_password_profile(request, *args, **kwargs):
     )
 
 
-class LoggedInView(View):
-    '''JSONP web service to detect if an user is logged'''
-
-    http_method_names = ['get']
-
-    def check_referrer(self):
-        '''Check if the given referer is authorized'''
-        referer = self.request.headers.get('Referer', '')
-        for valid_referer in app_settings.VALID_REFERERS:
-            if referer.startswith(valid_referer):
-                return True
-        return False
-
-    def get(self, request, *args, **kwargs):
-        if not self.check_referrer():
-            return HttpResponseForbidden()
-        callback = request.GET.get('callback')
-        content = f'{callback}({int(request.user.is_authenticated)})'
-        return HttpResponse(content, content_type='application/json')
-
-
-logged_in = never_cache(LoggedInView.as_view())
-
-
 def csrf_failure_view(request, reason=''):
     messages.warning(request, _('The page is out of date, it was reloaded for you'))
     return HttpResponseRedirect(request.get_full_path())