fix: fix session destruction and patron login style

nla · Oct 17, 2023 · bdc42a9 · bdc42a9
1 parent d44e169
commit bdc42a9
Show file tree

Hide file tree

Showing 2 changed files with 36 additions and 9 deletions.
diff --git a/app/controllers/users/sessions_controller.rb b/app/controllers/users/sessions_controller.rb
@@ -1,17 +1,23 @@
 # frozen_string_literal: true
 
 class Users::SessionsController < Devise::SessionsController
+  before_action :configure_sign_in_params, only: [:create]
+
   skip_before_action :verify_authenticity_token, only: [:backchannel_logout]
 
-  def destroy
-    # Keycloak logout. Keycloak will send a POST to "/backchannel_logout" to perform a
-    # backchannel logout that terminates the Devise session.
-    iss = session[:iss]
-    id_token = session[:id_token]
+  def create
+    super
+  end
 
-    signed_out = (Devise.sign_out_all_scopes ? sign_out : sign_out(resource_name))
-    set_flash_message! :notice, :signed_out if signed_out
-    redirect_to("#{iss}/protocol/openid-connect/logout?id_token_hint=#{id_token}&post_logout_redirect_uri=#{root_url}", allow_other_host: true)
+  def destroy
+    if session[:iss].present?
+      # Keycloak logout. Keycloak will send a POST to "/devise_logout" to perform a
+      # backchannel logout that terminates the Devise session.
+      keycloak_logout
+    else
+      # There is no Keycloak session identifier, so destroy the Devise session.
+      devise_logout
+    end
   end
 
   def backchannel_logout
@@ -24,4 +30,25 @@ def backchannel_logout
     user = User.find_by(session_token: session_id)
     user.update_column(:session_token, SecureRandom.hex)
   end
+
+  protected
+
+  def devise_logout
+    signed_out = (Devise.sign_out_all_scopes ? sign_out : sign_out(resource_name))
+    set_flash_message! :notice, :signed_out if signed_out
+    respond_to_on_destroy
+  end
+
+  def keycloak_logout
+    iss = session[:iss]
+    id_token = session[:id_token]
+
+    signed_out = (Devise.sign_out_all_scopes ? sign_out : sign_out(resource_name))
+    set_flash_message! :notice, :signed_out if signed_out
+    redirect_to("#{iss}/protocol/openid-connect/logout?id_token_hint=#{id_token}&post_logout_redirect_uri=#{root_url}", allow_other_host: true)
+  end
+
+  def configure_sign_in_params
+    devise_parameter_sanitizer.permit(:sign_in, keys: [user: [:username, :password]])
+  end
 end
diff --git a/app/views/users/sessions/new.html.erb b/app/views/users/sessions/new.html.erb
@@ -1,7 +1,7 @@
 <h1>Login</h1>
 
 <% if ENV["KC_PATRON_REALM"] %>
-  <%= button_to t("auth.patron_login"), user_catalogue_patron_omniauth_authorize_path, data: { turbo: false } %>
+  <%= button_to t("auth.patron_login"), user_catalogue_patron_omniauth_authorize_path, class: "btn btn-primary", data: { turbo: false } %>
 <% else %>
   <%= form_for(resource, as: resource_name, html: {'data-turbo' => "false"}, url: session_path(resource_name)) do |f| %>
     <div class="field form-group">