Add additional logs, finish test_auth_logout_expired

2025-12-06 03:15:35 -06:00 · 2024-11-10 13:02:02 -06:00
parent 4d6c46a309
commit 1ea3bc20db
4 changed files with 16 additions and 1 deletions
--- a/backend/linkpulse/dependencies.py
+++ b/backend/linkpulse/dependencies.py
@@ -59,6 +59,7 @@ class SessionDependency:

        # If not present, raise 401 if required
        if session_token is None:
+            logger.debug("No session cookie found", required=self.required)
            if self.required:
                raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Unauthorized")
            return None
--- a/backend/linkpulse/models.py
+++ b/backend/linkpulse/models.py
@@ -91,6 +91,7 @@ class Session(BaseModel):
            now = utc_now()

        if self.expiry_utc < now:
+            logger.debug("Session expired", token=self.token, user=self.user.email, revoke=revoke)
            if revoke:
                self.delete_instance()
            return True
--- a/backend/linkpulse/routers/auth.py
+++ b/backend/linkpulse/routers/auth.py
@@ -121,9 +121,10 @@ async def logout(
    # We can assume the session is valid via the dependency
    if not all:
        session.delete_instance()
+        logger.debug("Session deleted", user=session.user.email, token=session.token)
    else:
        count = Session.delete().where(Session.user == session.user).execute()
-        logger.debug("All sessions deleted", user=session.user.email, count=count)
+        logger.debug("All sessions deleted", user=session.user.email, count=count, source_token=session.token)

    response.set_cookie("session", "", max_age=0)

--- a/backend/linkpulse/tests/test_auth.py
+++ b/backend/linkpulse/tests/test_auth.py
@@ -64,6 +64,18 @@ def test_auth_login_logout(user):


 def test_auth_logout_expired(expired_session):
+    # Test that an expired session cannot be used to logout, but still removes the cookie
    with TestClient(app) as client:
        response = client.post("/api/logout")
        assert response.status_code == status.HTTP_401_UNAUTHORIZED
+
+        # Add expired session cookie
+        client.cookies.set("session", expired_session.token)
+        assert client.cookies.get("session") is not None
+
+        # Attempt to logout
+        response = client.post("/api/logout")
+        assert response.status_code == status.HTTP_401_UNAUTHORIZED
+        assert client.cookies.get("session") is None
+
+        # TODO: Ensure ?all=True doesn't do anything either