add /auth/oauth2/logout, goto callback after login/logout.

mozilla · Apr 7, 2015 · 4114dd2 · 4114dd2
1 parent 816b4f5
commit 4114dd2
Show file tree

Hide file tree

Showing 4 changed files with 36 additions and 1 deletion.
diff --git a/fake_oauth2/urls.py b/fake_oauth2/urls.py
@@ -6,4 +6,5 @@
     url(r'^login/oauth/authorize$', views.authorize),
     url(r'^login/oauth/access_token$', views.access_token),
     url(r'^user$', views.user),
+    url(r'^logout$', views.logout),
 ]
diff --git a/fake_oauth2/views.py b/fake_oauth2/views.py
@@ -52,3 +52,9 @@ def user(request):
     })
 
     return res
+
+@require_GET
+def logout(request):
+    url = reverse('teach.views.oauth2_callback')
+    qs = 'logout=true'
+    return HttpResponseRedirect('%s?%s' % (url, qs))
diff --git a/teach/urls.py b/teach/urls.py
@@ -30,6 +30,8 @@
         'teach.views.oauth2_authorize'),
     url(r'^auth/oauth2/callback$',
         'teach.views.oauth2_callback'),
+    url(r'^auth/oauth2/logout$',
+        'teach.views.oauth2_logout'),
 
     url(r'^api-introduction/', 'teach.views.api_introduction',
         name='api-introduction'),

diff --git a/teach/views.py b/teach/views.py
@@ -44,8 +44,24 @@ def get_origin(url):
         return None
     return '%s://%s' % (info.scheme, info.netloc)
 
+def validate_callback(callback):
+    origin = get_origin(callback)
+    valid_origins = settings.CORS_API_PERSONA_ORIGINS
+    if origin and origin in valid_origins:
+        return callback
+    if settings.DEBUG and valid_origins == ['*']:
+        return callback
+    return None
+
+def set_callback(request):
+    callback = validate_callback(request.GET.get('callback', ''))
+    if callback:
+        request.session['oauth2_callback'] = callback
+
 def oauth2_authorize(request):
+    set_callback(request)
     request.session['oauth2_state'] = get_random_string(length=32)
+
     return HttpResponseRedirect(get_idapi_url("/login/oauth/authorize", {
         'client_id': settings.IDAPI_CLIENT_ID,
         'response_type': 'code',
@@ -54,9 +70,13 @@ def oauth2_authorize(request):
     }))
 
 def oauth2_callback(request):
+    callback = request.session.get('oauth2_callback', '/')
     expected_state = request.session.get('oauth2_state')
     state = request.GET.get('state')
     code = request.GET.get('code')
+    if request.GET.get('logout') == 'true':
+        django.contrib.auth.logout(request)
+        return HttpResponseRedirect(callback)
     if state is None or expected_state is None or state != expected_state:
         return HttpResponse('invalid state')
     if code is None:
@@ -65,7 +85,13 @@ def oauth2_callback(request):
     user = django.contrib.auth.authenticate(webmaker_oauth2_code=code)
     django.contrib.auth.login(request, user)
 
-    return HttpResponse('hello %s' % user.username)
+    return HttpResponseRedirect(callback)
+
+def oauth2_logout(request):
+    set_callback(request)
+    return HttpResponseRedirect(get_idapi_url("/logout", {
+        'client_id': settings.IDAPI_CLIENT_ID
+    }))
 
 def check_origin(request):
     origin = request.META.get('HTTP_ORIGIN')