From 817314b8ee4c95389d1f7b425b07d88c72d631c3 Mon Sep 17 00:00:00 2001 From: Benjamin Dauvergne Date: Thu, 6 Oct 2022 16:21:25 +0200 Subject: [PATCH] views: send all related SessionIndex in LogoutRequest (#69955) As we do not known which one the IdP remember, we must send them all. --- mellon/views.py | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/mellon/views.py b/mellon/views.py index 82a4de2..d6b80fd 100644 --- a/mellon/views.py +++ b/mellon/views.py @@ -753,12 +753,14 @@ class LogoutView(ProfileMixin, LogMixin, View): self.get_relay_state(create=True) try: session_indexes = models.SessionIndex.objects.filter( - saml_identifier__user=request.user, saml_identifier__issuer__entity_id=issuer - ).order_by('-id') + saml_identifier__user=request.user, + saml_identifier__issuer__entity_id=issuer, + session_key=request.session.session_key, + ) if not session_indexes: self.log.error('unable to find lasso session dump') else: - session_dump = utils.make_session_dump(session_indexes[:1]) + session_dump = utils.make_session_dump(session_indexes) logout.setSessionFromDump(session_dump) session_indexes.update(logout_timestamp=now()) logout.initRequest(issuer, lasso.HTTP_METHOD_REDIRECT) @@ -812,7 +814,10 @@ class LogoutView(ProfileMixin, LogMixin, View): token_content = signing.loads(token, salt=self.TOKEN_SALT) next_url = token_content['next_url'] or logout_next_url session_index_pk = token_content['session_index_pk'] - session_indexes = models.SessionIndex.objects.filter(pk=session_index_pk) + session_index = models.SessionIndex.objects.filter(pk=session_index_pk).first() + session_indexes = models.SessionIndex.objects.filter( + saml_identifier=session_index.saml_identifier, session_key=session_index.session_key + ) if session_indexes: session_dump = utils.make_session_dump(session_indexes) logout = utils.create_logout(request)