Don't use cached user if session has been reset #79
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This is a bit of an edge case, but if the user is logged in and then the session is reset (or at least its `current_user` value is reset) and `RpiAuth::Controllers::CurrentUser#current_user` is called within the *same* request, then previously it would have returned the user "cached" in the `@current_user`. Now it will return `nil` which seems less surprising. This was highlighted by this example [1] in code-club-frontend. In that case the example passes, because that app has its own implementation of `#current_user` [2]. However, when I added a similar example in experience-cs where we're using `RpiAuth::Controllers::CurrentUser#current_user`, the example failed. I've added a rather contrived example by adding a new `HomeController#reset_user` action to the dummy app used in the specs. However, hopefully it helps explain a bit about why the change is necessary. It looks as if the only two RPF repos that use `RpiAuth::Controllers::CurrentUser` are experience-ai [3,4] and experience-cs [5]. I'm pretty confident this change won't affect either of those apps, so this can probably be a minor version bump. I think a possible alternative to making this change would be to provide a `#reset_user` method which could both reset the session *and* reset the ivar-cached user. However, given that the code-club-frontend implementation already uses this approach, I think that probably makes more sense for now. [1]: https://github.com/RaspberryPiFoundation/code-club-frontend/blob/901f2200e926741fd170858286d64f1dd49994b4/spec/requests/refresh_credentials_spec.rb#L90 [2]: https://github.com/RaspberryPiFoundation/code-club-frontend/blob/901f2200e926741fd170858286d64f1dd49994b4/app/controllers/concerns/authentication_concern.rb#L6-L11 [3]: https://github.com/RaspberryPiFoundation/experience-ai/blob/ad729cefe060fcc0f0c345b3297247069fe55867/app/controllers/application_controller.rb#L6 [4]: https://github.com/RaspberryPiFoundation/experience-ai/blob/ad729cefe060fcc0f0c345b3297247069fe55867/app/controllers/api/v1/zipped_resources_controller.rb#L6 [5]: https://github.com/RaspberryPiFoundation/experience-cs/blob/33fa4756371fa3a550f32ac7613130e0925c17d3/app/controllers/application_controller.rb#L4
Test coverage: 100.0% |
patch0
approved these changes
Apr 14, 2025
Contributor
patch0
left a comment
patch0
left a comment
There was a problem hiding this comment.
Thank you for the detailed PR notes. Makes a lot of sense.
floehopper
added a commit
that referenced
this pull request
Apr 15, 2025
floehopper
added a commit
that referenced
this pull request
Apr 15, 2025
- Add `CHANGELOG` entry for #79 - Update `CHANGELOG` & `RpiAuth::VERSION` in preparation to release v4.0.0
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is a bit of an edge case, but if the user is logged in and then the session is reset (or at least its
current_uservalue is reset) andRpiAuth::Controllers::CurrentUser#current_useris called within the same request, then previously it would have returned the user "cached" in the@current_user. Now it will returnnilwhich seems less surprising.This was highlighted by this example in code-club-frontend. In that case the example passes, because that app has its own implementation of
#current_user. However, when I added a similar example in experience-cs where we're usingRpiAuth::Controllers::CurrentUser#current_user, the example failed.I've added a rather contrived example by adding a new
HomeController#reset_useraction to the dummy app used in the specs. However, hopefully it helps explain a bit about why the change is necessary.It looks as if the only two RPF repos that use
RpiAuth::Controllers::CurrentUserare experience-ai here and here and experience-cs. I'm pretty confident this change won't affect either of those apps, so this can probably be a minor version bump.I think a possible alternative to making this change would be to provide a
#reset_usermethod which could both reset the session and reset the ivar-cached user. However, given that the code-club-frontend implementation already uses this approach, I think that probably makes more sense for now.