From 896784a3517b3813a40fd4a89f2f9bc5f0b5b7d7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sybren=20A=2E=20St=C3=BCvel?= Date: Wed, 13 Sep 2017 15:23:38 +0200 Subject: [PATCH] Clear session when token is invalid Before this, the user's authentication token would still be stored in the session even when it's found to be invalid. This caused a login action to fail, but not in such a way that we would redirect to the login page of Blender ID. Rather, it would keep you not logged in. By clearing the session we're sure that the invalid token is forgotten, and the next request will handle the login properly. --- pillar/auth/__init__.py | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/pillar/auth/__init__.py b/pillar/auth/__init__.py index 429e384b..7aed21b9 100644 --- a/pillar/auth/__init__.py +++ b/pillar/auth/__init__.py @@ -171,8 +171,13 @@ def _load_user(token) -> typing.Union[UserClass, AnonymousUser]: from ..api.utils import authentication + if not token: + return AnonymousUser() + db_user = authentication.validate_this_token(token) if not db_user: + # There is a token, but it's not valid. We should reset the user's session. + session.clear() return AnonymousUser() user = UserClass.construct(token, db_user)