Class: Aker::Rack::Logout

Inherits:

Object

• Object
• Aker::Rack::Logout

Includes:

ConfigurationHelper

Defined in:

lib/aker/rack/logout.rb

Overview

Middleware for ending authenticated sessions. This middleware listens for GET requests to the logout path and when such requests are received, clears user data.

The logout path is /logout by default. It may be overridden in the Aker configuration by setting a value for :logout_path in the :rack parameter group.

## Implications of GET

GET was chosen to ensure that there always exists a way to clear application session data independent of whether it is possible to get to a logout link. (If unmarshalable data exists in the session – say, stored objects whose format has changed between application revisions – it is possible to get into a state where logout links cannot be accessed.)

Using GET does mean that it is possible to execute CSRF attacks that will log out the user. The severity of this can range from a minor annoyance (just having to log in again while browsing a series of pages) to major (losing all data in a large POST).

See Also:

• use_in

Author:

• David Yip

Instance Method Summary

• #call(env) ⇒ Array

  When given a GET for the configured logout path, invokes Warden’s logout procedure (which resets the session), and passes control down to the rest of the application.

• #initialize(app) ⇒ Logout constructor

  Instantiates the middleware.

Methods included from ConfigurationHelper

#login_path, #logout_path

Methods included from EnvironmentHelper

#authority, #configuration, #interactive?

Constructor Details

#initialize(app) ⇒ Logout

Instantiates the middleware.

Parameters:

• app (Rack app) —

  the Rack application on which this middleware should be layered

# File 'lib/aker/rack/logout.rb', line 38

def initialize(app)
  @app = app
end

Instance Method Details

#call(env) ⇒ Array

When given a GET for the configured logout path, invokes Warden’s logout procedure (which resets the session), and passes control down to the rest of the application.

If the application or a mode does not provide a handler for the configured logout path, then the handler defined by DefaultLogoutResponder will be invoked.

Parameters:

• env (Hash) —

  a Rack environment

Returns:

• (Array) —

  a finished Rack response

See Also:

• Aker::Rack.use_in

# File 'lib/aker/rack/logout.rb', line 54

def call(env)
  if env['REQUEST_METHOD'] == 'GET' && env['PATH_INFO'] == logout_path(env)
    env['warden'].logout
  end

  @app.call(env)
end