kumi/django-cas-server
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Add settings to allow deletings Django cookies upon logout. Fix #80

Browse source
This commit is contained in:
Valentin Samir 2022-10-17 19:29:05 +02:00
parent a4e50ac7d5
commit 319c63a7f2
4 changed files with 37 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
CHANGELOG.rst
View file

@ -12,6 +12,7 @@ Unreleased
Added Added
----- -----
* Support for Django 4.0 and 4.1 * Support for Django 4.0 and 4.1
* Add settings to allow deletings Django cookies upon logout
Fixes Fixes
----- -----

11
README.rst
View file

@ -285,6 +285,17 @@ Authentication settings
* ``CAS_SLO_TIMEOUT``: Timeout for a single SLO request in seconds. The default is ``5``. * ``CAS_SLO_TIMEOUT``: Timeout for a single SLO request in seconds. The default is ``5``.
* ``CAS_REMOVE_DJANGO_SESSION_COOKIE_ON_LOGOUT``: If `True` Django session cookie will be removed
on logout from CAS server (default `False`). Note that Django session middleware will generate
a new session cookie.
* ``CAS_REMOVE_DJANGO_CSRF_COOKIE_ON_LOGOUT``: If `True` Django csrf cookie will be removed on
logout from CAS server (default `False`). Note that Django csrf middleware will generate a new
csrf token cookie.
* ``CAS_REMOVE_DJANGO_LANGUAGE_COOKIE_ON_LOGOUT``: If `True` Django language cookie will be
removed on logout from CAS server (default `False`).
Federation settings Federation settings
------------------- -------------------

7
cas_server/default_settings.py
View file

@ -239,6 +239,13 @@ CAS_INFO_MESSAGES = {
#: Let the list empty to disable messages display. #: Let the list empty to disable messages display.
CAS_INFO_MESSAGES_ORDER = [] CAS_INFO_MESSAGES_ORDER = []
#: :class:`bool` If `True` Django session cookie will be removed on logout from CAS server
CAS_REMOVE_DJANGO_SESSION_COOKIE_ON_LOGOUT = False
#: :class:`bool` If `True` Django csrf cookie will be removed on logout from CAS server
CAS_REMOVE_DJANGO_CSRF_COOKIE_ON_LOGOUT = False
#: :class:`bool` If `True` Django language cookie will be removed on logout from CAS server
CAS_REMOVE_DJANGO_LANGUAGE_COOKIE_ON_LOGOUT = False
GLOBALS = globals().copy() GLOBALS = globals().copy()
for name, default_value in GLOBALS.items(): for name, default_value in GLOBALS.items():

26
cas_server/views.py
View file

@ -153,6 +153,16 @@ class LogoutView(View, LogoutMixin):
self.url = request.GET.get('url') self.url = request.GET.get('url')
self.ajax = settings.CAS_ENABLE_AJAX_AUTH and 'HTTP_X_AJAX' in request.META self.ajax = settings.CAS_ENABLE_AJAX_AUTH and 'HTTP_X_AJAX' in request.META
@staticmethod
def delete_cookies(response):
if settings.CAS_REMOVE_DJANGO_SESSION_COOKIE_ON_LOGOUT:
response.delete_cookie(settings.SESSION_COOKIE_NAME)
if settings.CAS_REMOVE_DJANGO_CSRF_COOKIE_ON_LOGOUT:
response.delete_cookie(settings.CSRF_COOKIE_NAME)
if settings.CAS_REMOVE_DJANGO_LANGUAGE_COOKIE_ON_LOGOUT:
response.delete_cookie(settings.LANGUAGE_COOKIE_NAME)
return response
def get(self, request, *args, **kwargs): def get(self, request, *args, **kwargs):
""" """
method called on GET request on this view method called on GET request on this view
@ -181,15 +191,15 @@ class LogoutView(View, LogoutMixin):
response = HttpResponseRedirect(utils.update_url(url, params)) response = HttpResponseRedirect(utils.update_url(url, params))
if request.GET.get("forget_provider"): if request.GET.get("forget_provider"):
response.delete_cookie("remember_provider") response.delete_cookie("remember_provider")
return response return self.delete_cookies(response)
# if service is set, redirect to service after logout # if service is set, redirect to service after logout
if self.service: if self.service:
list(messages.get_messages(request)) # clean messages before leaving the django app list(messages.get_messages(request)) # clean messages before leaving the django app
return HttpResponseRedirect(self.service) return self.delete_cookies(HttpResponseRedirect(self.service))
# if service is not set but url is set, redirect to url after logout # if service is not set but url is set, redirect to url after logout
elif self.url: elif self.url:
list(messages.get_messages(request)) # clean messages before leaving the django app list(messages.get_messages(request)) # clean messages before leaving the django app
return HttpResponseRedirect(self.url) return self.delete_cookies(HttpResponseRedirect(self.url))
else: else:
# build logout message depending of the number of sessions the user logs out # build logout message depending of the number of sessions the user logs out
if session_nb == 1: if session_nb == 1:
@ -224,19 +234,19 @@ class LogoutView(View, LogoutMixin):
'url': url, 'url': url,
'session_nb': session_nb 'session_nb': session_nb
} }
return json_response(request, data) return self.delete_cookies(json_response(request, data))
else: else:
return redirect("cas_server:login") return self.delete_cookies(redirect("cas_server:login"))
else: else:
if self.ajax: if self.ajax:
data = {'status': 'success', 'detail': 'logout', 'session_nb': session_nb} data = {'status': 'success', 'detail': 'logout', 'session_nb': session_nb}
return json_response(request, data) return self.delete_cookies(json_response(request, data))
else: else:
return render( return self.delete_cookies(render(
request, request,
settings.CAS_LOGOUT_TEMPLATE, settings.CAS_LOGOUT_TEMPLATE,
utils.context({'logout_msg': logout_msg}) utils.context({'logout_msg': logout_msg})
) ))
class FederateAuth(CsrfExemptView): class FederateAuth(CsrfExemptView):