Merge pull request #2070 from govuk-forms/log-user-out-when-they-submit

Log the user out of One Login when their form is submitted

Author: stephencdaly

app/controllers/application_controller.rb

@@ -118,4 +118,8 @@ def default_locale?(locale)
 
     false
   end
+
+  def auth_service
+    @auth_service ||= AuthService.new(session)
+  end
 end

app/controllers/forms/check_your_answers_controller.rb

@@ -43,7 +43,12 @@ def submit_answers
 
         current_context.save_submission_details(submission_reference, requested_email_confirmation)
 
-        redirect_to :form_submitted
+        if auth_service.logged_in?
+          auth_service.store_return_params(form: current_context.form, mode: mode, locale: locale_param)
+          redirect_to auth_service.logout_redirect_uri(omniauth_logged_out_url), allow_other_host: true
+        else
+          redirect_to :form_submitted
+        end
       rescue FormSubmissionService::ConfirmationEmailToAddressError
         setup_check_your_answers
         email_confirmation_input.errors.add(:confirmation_email_address, :invalid_email)

app/controllers/forms/continue_to_one_login_controller.rb

@@ -3,7 +3,7 @@ class ContinueToOneLoginController < BaseController
     before_action :redirect_if_feature_disabled, :redirect_if_form_incomplete
 
     def show
-      Store::ReturnFromOneLoginStore.new(session).store_return_params(
+      auth_service.store_return_params(
         form: current_context.form,
         mode: mode,
         locale: locale_param,

app/controllers/users/omniauth_controller.rb

@@ -1,31 +1,29 @@
 module Users
   class OmniauthController < ApplicationController
-    class OmniAuthLoggedInDataMissingError < StandardError; end
     class OmniAuthFailure < StandardError; end
 
-    rescue_from Store::ReturnFromOneLoginStore::MissingReturnParamsError do
-      Rails.logger.warn("Missing return params in session for One Login callback")
-      redirect_to error_404_path
-    end
-
     def callback
-      email = request.env.dig("omniauth.auth", "info", "email")
-      if email.blank?
-        raise OmniAuthLoggedInDataMissingError, "Email is missing in OmniAuth auth hash"
-      end
-
-      return_from_one_login_store = Store::ReturnFromOneLoginStore.new(session)
-      form_id = return_from_one_login_store.form_id
-      path_params = return_from_one_login_store.get_path_params
+      auth_hash = request.env["omniauth.auth"]
+      auth_service.store_auth_details(auth_hash)
 
-      Store::ConfirmationDetailsStore.new(session, form_id).save_copy_of_answers_email_address(email)
+      path_params = auth_service.form_path_params
 
       redirect_to check_your_answers_path(**path_params)
+    rescue Store::ReturnFromOneLoginStore::MissingReturnParamsError
+      Rails.logger.warn("Missing return params in session for One Login callback")
+      redirect_to error_404_path
     end
 
     def failure
       error = request.env["omniauth.error"]
       raise OmniAuthFailure, error
     end
+
+    def logged_out
+      auth_service.clear_auth_session
+
+      path_params = auth_service.form_path_params
+      redirect_to form_submitted_path(**path_params)
+    end
   end
 end

app/lib/store/auth_store.rb

@@ -0,0 +1,28 @@
+module Store
+  class AuthStore
+    AUTH_KEY = "auth".freeze
+    TOKEN_KEY = "token".freeze
+
+    def initialize(store)
+      @store = store
+    end
+
+    def store_token(token)
+      @store[AUTH_KEY] = {
+        TOKEN_KEY => token,
+      }
+    end
+
+    def get_token
+      @store.dig(AUTH_KEY, TOKEN_KEY)
+    end
+
+    def clear
+      @store.delete(AUTH_KEY)
+    end
+
+    def logged_in?
+      get_token.present?
+    end
+  end
+end

app/lib/store/return_from_one_login_store.rb

@@ -20,7 +20,7 @@ def store_return_params(form:, mode:, locale:)
       @store[RETURN_FROM_ONE_LOGIN_KEY][LAST_LOCALE_KEY] = locale
     end
 
-    def get_path_params
+    def form_path_params
       raise MissingReturnParamsError if @store[RETURN_FROM_ONE_LOGIN_KEY].blank?
 
       {

app/services/auth_service.rb

@@ -0,0 +1,56 @@
+class AuthService
+  class DataMissingError < StandardError; end
+
+  attr_reader :auth_store, :return_from_one_login_store
+
+  def initialize(store)
+    @store = store
+    @return_from_one_login_store = Store::ReturnFromOneLoginStore.new(store)
+    @auth_store = Store::AuthStore.new(store)
+  end
+
+  delegate :logged_in?, to: :auth_store
+  delegate :store_return_params, :form_path_params, to: :return_from_one_login_store
+
+  def store_auth_details(auth_hash)
+    form_id = @return_from_one_login_store.form_id
+
+    raise DataMissingError, "Auth hash is missing on request" if auth_hash.blank?
+
+    email = auth_hash.dig("info", "email")
+    raise DataMissingError, "Email is missing in OmniAuth auth hash" if email.blank?
+
+    token = auth_hash.dig("credentials", "id_token")
+    raise DataMissingError, "Token is missing in OmniAuth auth hash" if token.blank?
+
+    @auth_store.store_token(token)
+    Store::ConfirmationDetailsStore.new(@store, form_id).save_copy_of_answers_email_address(email)
+  end
+
+  def logout_redirect_uri(post_logout_redirect_uri)
+    token = @auth_store.get_token
+    logout_request = logout_utility.build_request(
+      id_token_hint: token,
+      post_logout_redirect_uri: url_without_params(post_logout_redirect_uri),
+    )
+    logout_request.redirect_uri
+  end
+
+  def clear_auth_session
+    @auth_store.clear
+  end
+
+private
+
+  def logout_utility
+    @logout_utility ||= OmniAuth::GovukOneLogin::LogoutUtility.new(
+      idp_configuration: Rails.application.config.x.one_login.idp_configuration,
+    )
+  end
+
+  def url_without_params(url)
+    url = URI.parse(url)
+    url.query = nil
+    url.to_s
+  end
+end

config/initializers/omniauth.rb

@@ -28,3 +28,6 @@
   # will call `Users::OmniauthController#failure` if there are any errors during the login process
   on_failure { |env| Users::OmniauthController.action(:failure).call(env) }
 end
+
+# Store this globally so we only make a request to the One Login discovery endpoint once as the configuration should not regularly change
+Rails.application.config.x.one_login.idp_configuration = OmniAuth::GovukOneLogin::IdpConfiguration.new(idp_base_url: Settings.govuk_one_login.base_url)

config/routes.rb

@@ -3,6 +3,7 @@
 
   get "/auth/govuk_one_login/callback", to: "users/omniauth#callback", as: :omniauth_callback
   get "/auth/failure", to: "users/omniauth#failure", as: :omniauth_failure
+  get "/auth/logged-out", to: "users/omniauth#logged_out", as: :omniauth_logged_out
 
   # Reveal health status on /up that returns 200 if the app boots with no exceptions, otherwise 500.
   # Can be used by load balancers and uptime monitors to verify that the app is live.

config/settings/test.yml

@@ -17,3 +17,6 @@ submission_status_api:
 file_upload:
   poll_scan_status_wait_milliseconds: 50
   poll_scan_status_max_attempts: 2
+
+govuk_one_login:
+  base_url: http://example.com/one-login-mock/