Closed ingalls closed 4 years ago
Noting that I've added to the work @ingalls did to:
max-age
field on the user session cookie so when the cookie is expired, the user will automatically be directed back to the user login page. While the current token invalidation code works, it sends back a 401
without redirecting the user. A subsequent refresh redirects the user to log in, but this extra refresh is somewhat annoying. I'm keeping token invalidation as is in case the user does send an invalid cookie (that isn't necessarily expired), but decided to punt on improving the user flow for this edge case.
Context
At the moment, if a session cookie is set and invalid, it will block all calls to hecate, not redirecting the user to auth. This forces the user to go and manually delete the cookie before they are able to reauth.
This implements automatic session cookie clearing on any invalid auth attempt that uses a session cookie.
@lizziegooding or @mattciferri can I get a review and have you test/take it out?
Test Instructions
Run any test that creates the
ingalls:yeaheh
user/passStart server locally with
navigate to
localhost:8000/admin
Should be redireted to login page, login with
ingalls:yeaheh
user:passRun
Refresh the page, you should be deauthenticated and returned to the login page, instead of seeing the white page you may be used to
cc/ @ingalls