Merge pull request #4496 from freedomofpress/fix-session-src

Redirect to index after session expiration on /generate
freedomofpress · Jun 4, 2019 · 6a92407 · 6a92407
2 parents 1bd3ca0 + 7fafd7c
commit 6a92407
Show file tree

Hide file tree

Showing 2 changed files with 30 additions and 1 deletion.
diff --git a/securedrop/source_app/__init__.py b/securedrop/source_app/__init__.py
@@ -145,7 +145,9 @@ def setup_g():
             # clear the session after we render the message so it's localized
             session.clear()
 
+            # Redirect to index with flashed message
             flash(Markup(msg), "important")
+            return redirect(url_for('main.index'))
 
         session['expires'] = datetime.utcnow() + \
             timedelta(minutes=getattr(config,

diff --git a/securedrop/tests/test_source.py b/securedrop/tests/test_source.py
@@ -3,6 +3,7 @@
 import re
 import subprocess
 import six
+import time
 
 from io import BytesIO
 from flask import session, escape, current_app, url_for, g
@@ -667,7 +668,33 @@ def test_source_session_expiration(config, source_app):
         # which is always present and 'csrf_token' which leaks no info)
         session.pop('expires', None)
         session.pop('csrf_token', None)
-        assert not session, session
+        assert not session
+
+        text = resp.data.decode('utf-8')
+        assert 'Your session timed out due to inactivity' in text
+
+
+def test_source_session_expiration_create(config, source_app):
+    with source_app.test_client() as app:
+
+        seconds_session_expire = 1
+        config.SESSION_EXPIRATION_MINUTES = seconds_session_expire / 60.
+
+        # Make codename, and then wait for session to expire.
+        resp = app.get(url_for('main.generate'))
+        assert resp.status_code == 200
+
+        time.sleep(seconds_session_expire + 0.1)
+
+        # Now when we click create, the session will have expired.
+        resp = app.post(url_for('main.create'), follow_redirects=True)
+
+        # check that the session was cleared (apart from 'expires'
+        # which is always present and 'csrf_token' which leaks no info)
+        session.pop('expires', None)
+        session.pop('csrf_token', None)
+        assert not session
+
         text = resp.data.decode('utf-8')
         assert 'Your session timed out due to inactivity' in text