From dde94b06ed656485baff58896e36863f329f2004 Mon Sep 17 00:00:00 2001 From: Rosa Gutierrez Date: Thu, 15 Jan 2026 20:04:01 +0100 Subject: [PATCH] Delete server-side session on logout When it's set. Also, store it in current attributes for convenience. Co-Authored-By: Claude Opus 4.5 --- app/controllers/concerns/authentication.rb | 16 +++++++++++++--- app/controllers/sessions_controller.rb | 2 +- app/models/current.rb | 10 +++++++++- test/controllers/sessions_controller_test.rb | 10 ++++++++-- 4 files changed, 31 insertions(+), 7 deletions(-) diff --git a/app/controllers/concerns/authentication.rb b/app/controllers/concerns/authentication.rb index f0db848..db23800 100644 --- a/app/controllers/concerns/authentication.rb +++ b/app/controllers/concerns/authentication.rb @@ -67,17 +67,27 @@ module Authentication authenticated_as session end + def terminate_current_session + Current.session&.destroy! + reset_session + remove_authentication_cookie + end + def authenticated_as(session) - Current.user = session.user + Current.session = session set_authenticated_by(:session) - cookies.signed.permanent[:session_token] = { value: session.token, httponly: true, same_site: :lax } + set_authentication_cookie(session) end def post_authenticating_url session.delete(:return_to_after_authenticating) || root_url end - def reset_authentication + def set_authentication_cookie(session) + cookies.signed.permanent[:session_token] = { value: session.token, httponly: true, same_site: :lax } + end + + def remove_authentication_cookie cookies.delete(:session_token) end diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb index 420ae5f..1ac2bfd 100644 --- a/app/controllers/sessions_controller.rb +++ b/app/controllers/sessions_controller.rb @@ -18,7 +18,7 @@ class SessionsController < ApplicationController def destroy remove_push_subscription - reset_authentication + terminate_current_session redirect_to root_url end diff --git a/app/models/current.rb b/app/models/current.rb index 990d2b4..ac1ad69 100644 --- a/app/models/current.rb +++ b/app/models/current.rb @@ -1,8 +1,16 @@ class Current < ActiveSupport::CurrentAttributes - attribute :user, :request + attribute :session, :user, :request delegate :host, :protocol, to: :request, prefix: true, allow_nil: true + def session=(value) + super(value) + + if value.present? + self.user = session.user + end + end + def account Account.first end diff --git a/test/controllers/sessions_controller_test.rb b/test/controllers/sessions_controller_test.rb index 430f456..92b860f 100644 --- a/test/controllers/sessions_controller_test.rb +++ b/test/controllers/sessions_controller_test.rb @@ -28,7 +28,9 @@ class SessionsControllerTest < ActionDispatch::IntegrationTest end test "create with valid credentials" do - post session_url, params: { email_address: "david@37signals.com", password: "secret123456" } + assert_difference -> { Session.count }, +1 do + post session_url, params: { email_address: "david@37signals.com", password: "secret123456" } + end assert_redirected_to root_url assert parsed_cookies.signed[:session_token] @@ -43,11 +45,15 @@ class SessionsControllerTest < ActionDispatch::IntegrationTest test "destroy" do sign_in :david + session = users(:david).sessions.last - delete session_url + assert_difference -> { Session.count }, -1 do + delete session_url + end assert_redirected_to root_url assert_not cookies[:session_token].present? + assert_nil Session.find_by(id: session.id) end test "destroy removes the push subscription for the device" do