Fix /account authentication and session deletion behavior (#18151)

ed4ec6c9 · Alexander Polyankin · GitHub · 3a67ddc1 · ed4ec6c9 · ed4ec6c9
Unverified Commit ed4ec6c9 authored 3 years ago by Alexander Polyankin Committed by GitHub 3 years ago
--- a/frontend/src/metabase/account/routes.jsx
+++ b/frontend/src/metabase/account/routes.jsx
@@ -8,18 +8,16 @@ import UserPasswordApp from "./password/containers/UserPasswordApp";
 import LoginHistoryApp from "./login-history/containers/LoginHistoryApp";
 import getNotificationRoutes from "./notifications/routes";

-const getRoutes = () => {
+const getRoutes = (store, IsAuthenticated) => {
  return (
-    <Route
-      path="/account"
-      title={t`Account settings`}
-      component={AccountSettingsApp}
-    >
-      <IndexRedirect to="profile" />
-      <Route path="profile" component={UserProfileApp} />
-      <Route path="password" component={UserPasswordApp} />
-      <Route path="login-history" component={LoginHistoryApp} />
-      {getNotificationRoutes()}
+    <Route path="/account" component={IsAuthenticated}>
+      <Route title={t`Account settings`} component={AccountSettingsApp}>
+        <IndexRedirect to="profile" />
+        <Route path="profile" component={UserProfileApp} />
+        <Route path="password" component={UserPasswordApp} />
+        <Route path="login-history" component={LoginHistoryApp} />
+        {getNotificationRoutes()}
+      </Route>
    </Route>
  );
 };

--- a/frontend/src/metabase/auth/auth.js
+++ b/frontend/src/metabase/auth/auth.js
@@ -7,7 +7,7 @@ import {
 import { push } from "react-router-redux";

 import MetabaseAnalytics from "metabase/lib/analytics";
-import { clearGoogleAuthCredentials } from "metabase/lib/auth";
+import { clearGoogleAuthCredentials, deleteSession } from "metabase/lib/auth";

 import { refreshSiteSettings } from "metabase/redux/settings";

@@ -69,7 +69,7 @@ export const LOGOUT = "metabase/auth/LOGOUT";
 export const logout = createThunkAction(LOGOUT, function() {
  return async function(dispatch, getState) {
    // actively delete the session and remove the cookie
-    await SessionApi.delete();
+    await deleteSession();

    // clear Google auth credentials if any are present
    await clearGoogleAuthCredentials();

--- a/frontend/src/metabase/lib/auth.js
+++ b/frontend/src/metabase/lib/auth.js
 /*global gapi*/

+import { SessionApi } from "metabase/services";
+
+// actively delete the session and remove the cookie
+export async function deleteSession() {
+  try {
+    await SessionApi.delete();
+  } catch (error) {
+    // there are cases when the session is deleted automatically, e.g when the password has been updated
+    // in that case the BE would respond with 404
+    if (error.status !== 404) {
+      console.error("Problem clearing session", error);
+    }
+  }
+}
+
 /// clear out Google Auth credentials in browser if present
 export async function clearGoogleAuthCredentials() {
  const googleAuth =

--- a/frontend/src/metabase/routes.jsx
+++ b/frontend/src/metabase/routes.jsx
@@ -321,7 +321,7 @@ export const getRoutes = store => (
      </Route>

      {/* ACCOUNT */}
-      {getAccountRoutes()}
+      {getAccountRoutes(store, IsAuthenticated)}

      {/* ADMIN */}
      {getAdminRoutes(store, IsAdmin)}

--- a/frontend/test/metabase/scenarios/onboarding/setup/user_settings.cy.spec.js
+++ b/frontend/test/metabase/scenarios/onboarding/setup/user_settings.cy.spec.js
 // Migrated from frontend/test/metabase/user/UserSettings.integ.spec.js
 import { restore } from "__support__/e2e/cypress";
 import { USERS } from "__support__/e2e/cypress_data";
-const { first_name, last_name, email } = USERS.normal;
+const { first_name, last_name, email, password } = USERS.normal;

 const CURRENT_USER = {
  email: "normal@metabase.test",
@@ -67,13 +67,27 @@ describe("user > settings", () => {
    cy.findByText("Password").should("exist");
  });

-  it.skip("it should redirect to the login page when user is signed out but tries to visit `/account/profile` (metabase#15471)", () => {
+  it("should redirect to the login page when the user has signed out but tries to visit `/account/profile` (metabase#15471)", () => {
    cy.signOut();
    cy.visit("/account/profile");
    cy.url().should("include", "/auth/login");
    cy.findByText("Sign in to Metabase");
  });

+  it("should redirect to the login page when the user has changed the password and logged out (metabase#18151)", () => {
+    cy.visit("/account/password");
+
+    cy.findByLabelText("Current password").type(password);
+    cy.findByLabelText("Create a password").type(password);
+    cy.findByLabelText("Confirm your password").type(password);
+    cy.findByText("Save").click();
+    cy.findByText("Success");
+
+    cy.findByLabelText("gear icon").click();
+    cy.findByText("Sign out").click();
+    cy.findByText("Sign in to Metabase");
+  });
+
  describe("when user is authenticated via ldap", () => {
    beforeEach(() => {
      cy.server();