From 2da033c409da432dfa1988312e50aed204a6c636 Mon Sep 17 00:00:00 2001 From: Benjamin Dauvergne Date: Thu, 16 May 2019 17:58:17 +0200 Subject: [PATCH] views: clean FranceConnect session variable on unlink (#32953) --- src/authentic2_auth_fc/views.py | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/src/authentic2_auth_fc/views.py b/src/authentic2_auth_fc/views.py index d446574..5cf65bb 100644 --- a/src/authentic2_auth_fc/views.py +++ b/src/authentic2_auth_fc/views.py @@ -149,6 +149,13 @@ def access_token_from_request(request, logger): ACCESS_GRANT_CODE = 'accessgrantcode' +def clean_fc_session(session): + session.pop('fc_id_token', None) + session.pop('fc_id_token_raw', None) + session.pop('fc_user_info', None) + session.pop('fc_data', None) + + class FcOAuthSessionViewMixin(LoggerMixin): '''Add the OAuth2 dance to a view''' scopes = ['openid', 'profile', 'birth', 'email'] @@ -510,6 +517,7 @@ class UnlinkView(LoggerMixin, FormView): if app_settings.logout_when_unlink: # logout URL can be None if not session exists with FC url = utils.build_logout_url(self.request, next_url=url) or url + clean_fc_session(self.request.session) return url def get_form_class(self): @@ -574,10 +582,7 @@ unlink = UnlinkView.as_view() class LogoutReturnView(View): def get(self, request, *args, **kwargs): state = request.GET.get('state') - request.session.pop('fc_id_token', None) - request.session.pop('fc_id_token_raw', None) - request.session.pop('fc_user_info', None) - request.session.pop('fc_data', None) + clean_fc_session(request.session) states = request.session.pop('fc_states', None) next_url = None if states and state in states: