From bdc42a9d7ec42e53bbd577939b224b9586a59cdb Mon Sep 17 00:00:00 2001
From: Yetrina Battad <hello@yetti.io>
Date: Tue, 17 Oct 2023 13:46:08 +1100
Subject: [PATCH] fix: fix session destruction and patron login style

---
 app/controllers/users/sessions_controller.rb | 43 ++++++++++++++++----
 app/views/users/sessions/new.html.erb        |  2 +-
 2 files changed, 36 insertions(+), 9 deletions(-)

diff --git a/app/controllers/users/sessions_controller.rb b/app/controllers/users/sessions_controller.rb
index 61f580a..86beef6 100644
--- a/app/controllers/users/sessions_controller.rb
+++ b/app/controllers/users/sessions_controller.rb
@@ -1,17 +1,23 @@
 # frozen_string_literal: true
 
 class Users::SessionsController < Devise::SessionsController
+  before_action :configure_sign_in_params, only: [:create]
+
   skip_before_action :verify_authenticity_token, only: [:backchannel_logout]
 
-  def destroy
-    # Keycloak logout. Keycloak will send a POST to "/backchannel_logout" to perform a
-    # backchannel logout that terminates the Devise session.
-    iss = session[:iss]
-    id_token = session[:id_token]
+  def create
+    super
+  end
 
-    signed_out = (Devise.sign_out_all_scopes ? sign_out : sign_out(resource_name))
-    set_flash_message! :notice, :signed_out if signed_out
-    redirect_to("#{iss}/protocol/openid-connect/logout?id_token_hint=#{id_token}&post_logout_redirect_uri=#{root_url}", allow_other_host: true)
+  def destroy
+    if session[:iss].present?
+      # Keycloak logout. Keycloak will send a POST to "/devise_logout" to perform a
+      # backchannel logout that terminates the Devise session.
+      keycloak_logout
+    else
+      # There is no Keycloak session identifier, so destroy the Devise session.
+      devise_logout
+    end
   end
 
   def backchannel_logout
@@ -24,4 +30,25 @@ def backchannel_logout
     user = User.find_by(session_token: session_id)
     user.update_column(:session_token, SecureRandom.hex)
   end
+
+  protected
+
+  def devise_logout
+    signed_out = (Devise.sign_out_all_scopes ? sign_out : sign_out(resource_name))
+    set_flash_message! :notice, :signed_out if signed_out
+    respond_to_on_destroy
+  end
+
+  def keycloak_logout
+    iss = session[:iss]
+    id_token = session[:id_token]
+
+    signed_out = (Devise.sign_out_all_scopes ? sign_out : sign_out(resource_name))
+    set_flash_message! :notice, :signed_out if signed_out
+    redirect_to("#{iss}/protocol/openid-connect/logout?id_token_hint=#{id_token}&post_logout_redirect_uri=#{root_url}", allow_other_host: true)
+  end
+
+  def configure_sign_in_params
+    devise_parameter_sanitizer.permit(:sign_in, keys: [user: [:username, :password]])
+  end
 end
diff --git a/app/views/users/sessions/new.html.erb b/app/views/users/sessions/new.html.erb
index 2d985b6..daa910b 100644
--- a/app/views/users/sessions/new.html.erb
+++ b/app/views/users/sessions/new.html.erb
@@ -1,7 +1,7 @@
 <h1>Login</h1>
 
 <% if ENV["KC_PATRON_REALM"] %>
-  <%= button_to t("auth.patron_login"), user_catalogue_patron_omniauth_authorize_path, data: { turbo: false } %>
+  <%= button_to t("auth.patron_login"), user_catalogue_patron_omniauth_authorize_path, class: "btn btn-primary", data: { turbo: false } %>
 <% else %>
   <%= form_for(resource, as: resource_name, html: {'data-turbo' => "false"}, url: session_path(resource_name)) do |f| %>
     <div class="field form-group">