franceconnect: return HTTP 400 error on bad calls to logout URL (#40896)

tests/test_fc_auth.py

@@ -343,3 +343,10 @@ def test_fc_settings_no_user_profile():
 
     resp = resp.forms[0].submit('submit').follow()
     assert pub.cfg['fc'] == FC_CONFIG
+
+
+def test_fc_logout_error():
+    setup_user_profile(pub)
+    setup_fc_environment(pub)
+    app = get_app(pub)
+    app.get('/ident/fc/logout', status=400)

wcs/qommon/ident/franceconnect.py

@@ -25,6 +25,7 @@ from django.utils.six.moves.urllib import parse as urllib
 from quixote import redirect, get_session, get_publisher, get_request, get_session_manager
 from quixote.directory import Directory
 from quixote.html import htmltext, TemplateIO
+from quixote.errors import QueryError
 
 from .. import _, N_
 from ..backoffice.menu import html_top
@@ -476,6 +477,8 @@ class FCAuthMethod(AuthMethod):
 
     def logout(self):
         session = get_session()
+        if not session or not session.extra_user_variables or not session.extra_user_variables.get('fc_id_token'):
+            raise QueryError()
         id_token = session.extra_user_variables['fc_id_token']
         get_session_manager().expire_session()
         logout_url = self.get_logout_url()