Invalidate all session tokens when a user signs out

Fixes https://jira.coreos.com/browse/QS-85
2017-12-07 11:39:27 -05:00 · 2017-12-07 11:39:27 -05:00 · 1d1c6f0606
commit 1d1c6f0606
parent d405f6f158
4 changed files with 16 additions and 4 deletions
--- a/test/test_api_usage.py
+++ b/test/test_api_usage.py
@ -895,6 +895,7 @@ class TestSignout(ApiTestCase):
  def test_signout(self):
    self.login(READ_ACCESS_USER)

+    read_user = model.user.get_user(READ_ACCESS_USER)
    json = self.getJsonResponse(User)
    assert json['username'] == READ_ACCESS_USER

@ -903,6 +904,10 @@ class TestSignout(ApiTestCase):
    # Make sure we're now signed out.
    self.getJsonResponse(User, expected_code=401)

+    # Make sure the user's UUID has rotated, to ensure sessions are no longer valid.
+    read_user_again = model.user.get_user(READ_ACCESS_USER)
+    self.assertNotEquals(read_user.uuid, read_user_again.uuid)
+

 class TestConductSearch(ApiTestCase):
  def test_noaccess(self):