Delete server-side session on logout

When it's set. Also, store it in current attributes for convenience. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-04-09 06:27:49 +09:00 · 2026-01-15 20:04:01 +01:00
parent 1852adb06c
commit dde94b06ed
4 changed files with 31 additions and 7 deletions
--- a/app/controllers/concerns/authentication.rb
+++ b/app/controllers/concerns/authentication.rb
@@ -67,17 +67,27 @@ module Authentication
      authenticated_as session
    end

+    def terminate_current_session
+      Current.session&.destroy!
+      reset_session
+      remove_authentication_cookie
+    end
+
    def authenticated_as(session)
-      Current.user = session.user
+      Current.session = session
      set_authenticated_by(:session)
-      cookies.signed.permanent[:session_token] = { value: session.token, httponly: true, same_site: :lax }
+      set_authentication_cookie(session)
    end

    def post_authenticating_url
      session.delete(:return_to_after_authenticating) || root_url
    end

-    def reset_authentication
+    def set_authentication_cookie(session)
+      cookies.signed.permanent[:session_token] = { value: session.token, httponly: true, same_site: :lax }
+    end
+
+    def remove_authentication_cookie
      cookies.delete(:session_token)
    end

--- a/app/controllers/sessions_controller.rb
+++ b/app/controllers/sessions_controller.rb
@@ -18,7 +18,7 @@ class SessionsController < ApplicationController

  def destroy
    remove_push_subscription
-    reset_authentication
+    terminate_current_session
    redirect_to root_url
  end

--- a/app/models/current.rb
+++ b/app/models/current.rb
@@ -1,8 +1,16 @@
 class Current < ActiveSupport::CurrentAttributes
-  attribute :user, :request
+  attribute :session, :user, :request

  delegate :host, :protocol, to: :request, prefix: true, allow_nil: true

+  def session=(value)
+    super(value)
+
+    if value.present?
+      self.user = session.user
+    end
+  end
+
  def account
    Account.first
  end
--- a/test/controllers/sessions_controller_test.rb
+++ b/test/controllers/sessions_controller_test.rb
@@ -28,7 +28,9 @@ class SessionsControllerTest < ActionDispatch::IntegrationTest
  end

  test "create with valid credentials" do
-    post session_url, params: { email_address: "david@37signals.com", password: "secret123456" }
+    assert_difference -> { Session.count }, +1 do
+      post session_url, params: { email_address: "david@37signals.com", password: "secret123456" }
+    end

    assert_redirected_to root_url
    assert parsed_cookies.signed[:session_token]
@@ -43,11 +45,15 @@ class SessionsControllerTest < ActionDispatch::IntegrationTest

  test "destroy" do
    sign_in :david
+    session = users(:david).sessions.last

-    delete session_url
+    assert_difference -> { Session.count }, -1 do
+      delete session_url
+    end

    assert_redirected_to root_url
    assert_not cookies[:session_token].present?
+    assert_nil Session.find_by(id: session.id)
  end

  test "destroy removes the push subscription for the device" do