implement FranceConnect logout (#25696)

2018-10-05 14:14:35 +02:00 · 2018-10-05 14:14:35 +02:00 · 1b9092b1d0
parent b5581a5ab6
commit 1b9092b1d0
3 changed files with 24 additions and 1 deletions
--- a/tests/test_fc_auth.py
+++ b/tests/test_fc_auth.py
@ -168,6 +168,10 @@ def test_fc_login_page(caplog):
    assert session.extra_user_variables['fc_sub'] == 'ymca'

    resp = app.get('/logout')
+    assert resp.location.endswith('/ident/fc/logout')
+    resp = resp.follow()
+    assert resp.location == 'https://fcp.integ01.dev-franceconnect.fr/api/v1/logout?post_logout_redirect_uri=http%3A%2F%2Fexample.net'
+    assert not get_session(app)

    # Test error handling path
    resp = app.get('/ident/fc/callback?%s' % urllib.urlencode({
--- a/wcs/qommon/ident/franceconnect.py
+++ b/wcs/qommon/ident/franceconnect.py
@ -100,11 +100,14 @@ class UserFieldMappingTableWidget(WidgetListAsTable):


 class MethodDirectory(Directory):
-    _q_exports = ['login', 'callback']
+    _q_exports = ['login', 'logout', 'callback']

    def login(self):
        return FCAuthMethod().login()

+    def logout(self):
+        return FCAuthMethod().logout()
+
    def callback(self):
        return FCAuthMethod().callback()

@ -222,6 +225,9 @@ class MethodAdminDirectory(Directory):
        r += _('Callback URL is %s.') % fc_callback
        r += htmltext('</p>')
        r += htmltext('<p>')
+        r += _('Logout callback URL is %s.') % get_publisher().get_frontoffice_url()
+        r += htmltext('</p>')
+        r += htmltext('<p>')
        r += htmltext(_('See <a href="https://franceconnect.gouv.fr/fournisseur-service">'
                        'FranceConnect partners\'site</a> for getting a client_id and '
                        'a client_secret.'))
@ -463,3 +469,11 @@ class FCAuthMethod(AuthMethod):
        session.set_user(user.id)
        session.extra_user_variables = session_var_fc_user
        return redirect(next_url)
+
+    def logout(self):
+        logout_url = self.get_logout_url()
+        post_logout_redirect_uri = get_publisher().get_frontoffice_url()
+        logout_url += '?' + urllib.urlencode({
+            'post_logout_redirect_uri': post_logout_redirect_uri,
+        })
+        return redirect(logout_url)
--- a/wcs/root.py
+++ b/wcs/root.py
@ -264,6 +264,11 @@ class RootDirectory(Directory):
        if not session:
            return redirect(get_publisher().get_root_url())
        ident_methods = get_cfg('identification', {}).get('methods', [])
+
+        if 'fc' in ident_methods and session.extra_user_variables and 'fc_sub' in session.extra_user_variables:
+            get_session_manager().expire_session()
+            return redirect(get_publisher().get_root_url() + 'ident/fc/logout')
+
        if not 'idp' in ident_methods:
            get_session_manager().expire_session()
            return redirect(get_publisher().get_root_url())