anti
c82897193e
POST /auth/logout adds the caller's jti to the denylist and drops the local negative-cache entry, so the token 401s on its very next use. Single-session semantics: only this token dies, other sessions for the same user keep working. Reachable for must_change_password users (it runs the revocation checks but skips the must_change gate via get_token_claims) so a session can always be ended; an already-revoked token is rejected.
88 lines
3.4 KiB
Python
88 lines
3.4 KiB
Python
# SPDX-License-Identifier: AGPL-3.0-or-later
|
|
"""Logout endpoint (WI2): denylists the presented token's jti."""
|
|
from __future__ import annotations
|
|
|
|
import uuid as _uuid
|
|
|
|
import pytest
|
|
from sqlalchemy import select
|
|
|
|
from decnet.web.auth import get_password_hash
|
|
from decnet.web.db.models import User
|
|
from decnet.web.dependencies import repo
|
|
|
|
PROTECTED = "/api/v1/attackers?limit=1"
|
|
|
|
|
|
def _auth(token: str) -> dict[str, str]:
|
|
return {"Authorization": f"Bearer {token}"}
|
|
|
|
|
|
@pytest.mark.asyncio
|
|
async def test_logout_revokes_the_presented_token(client, auth_token):
|
|
# Works before logout.
|
|
assert (await client.get(PROTECTED, headers=_auth(auth_token))).status_code == 200
|
|
# Logout succeeds.
|
|
r = await client.post("/api/v1/auth/logout", headers=_auth(auth_token))
|
|
assert r.status_code == 200, r.text
|
|
# The same token is now dead.
|
|
assert (await client.get(PROTECTED, headers=_auth(auth_token))).status_code == 401
|
|
|
|
|
|
@pytest.mark.asyncio
|
|
async def test_logout_without_a_token_is_401(client):
|
|
r = await client.post("/api/v1/auth/logout")
|
|
assert r.status_code == 401
|
|
|
|
|
|
@pytest.mark.asyncio
|
|
async def test_logout_twice_is_rejected(client, auth_token):
|
|
assert (await client.post("/api/v1/auth/logout", headers=_auth(auth_token))).status_code == 200
|
|
# Second attempt with the now-revoked token fails closed.
|
|
assert (await client.post("/api/v1/auth/logout", headers=_auth(auth_token))).status_code == 401
|
|
|
|
|
|
@pytest.mark.asyncio
|
|
async def test_logout_only_kills_the_one_session(client, auth_token):
|
|
# A second independent login for the same user keeps working after the
|
|
# first session logs out — single-session, not log-out-everywhere.
|
|
from decnet.env import DECNET_ADMIN_USER, DECNET_ADMIN_PASSWORD
|
|
second = (await client.post(
|
|
"/api/v1/auth/login",
|
|
json={"username": DECNET_ADMIN_USER, "password": DECNET_ADMIN_PASSWORD},
|
|
)).json()["access_token"]
|
|
|
|
assert (await client.post("/api/v1/auth/logout", headers=_auth(auth_token))).status_code == 200
|
|
assert (await client.get(PROTECTED, headers=_auth(auth_token))).status_code == 401
|
|
# The other session is untouched.
|
|
assert (await client.get(PROTECTED, headers=_auth(second))).status_code == 200
|
|
|
|
|
|
@pytest.mark.asyncio
|
|
async def test_must_change_user_can_still_logout(client):
|
|
# A user with must_change_password=True is blocked from protected routes
|
|
# but must always be able to end their session.
|
|
username, password = "logout-mcp-user", "logout-mcp-pass-1"
|
|
async with repo.session_factory() as session:
|
|
if not (await session.execute(
|
|
select(User).where(User.username == username)
|
|
)).scalar_one_or_none():
|
|
session.add(User(
|
|
uuid=str(_uuid.uuid4()),
|
|
username=username,
|
|
password_hash=get_password_hash(password),
|
|
role="viewer",
|
|
must_change_password=True,
|
|
))
|
|
await session.commit()
|
|
|
|
token = (await client.post(
|
|
"/api/v1/auth/login", json={"username": username, "password": password},
|
|
)).json()["access_token"]
|
|
# Protected route is blocked by must_change...
|
|
assert (await client.get(PROTECTED, headers=_auth(token))).status_code == 403
|
|
# ...but logout still works.
|
|
assert (await client.post("/api/v1/auth/logout", headers=_auth(token))).status_code == 200
|
|
# And the token is revoked afterwards.
|
|
assert (await client.post("/api/v1/auth/logout", headers=_auth(token))).status_code == 401
|