Don't use cached user if session has been reset

lib/rpi_auth/controllers/current_user.rb

@@ -10,8 +10,8 @@ module CurrentUser
       end
 
       def current_user
-        return @current_user if @current_user
         return nil unless session[:current_user]
+        return @current_user if @current_user
 
         @current_user = RpiAuth.user_model.new(session[:current_user])
       end

spec/dummy/app/controllers/home_controller.rb

@@ -1,4 +1,10 @@
 class HomeController < ApplicationController
   def show
   end
+
+  def reset_user
+    current_user
+    reset_session
+    render :show
+  end
 end

spec/dummy/config/routes.rb

@@ -1,6 +1,7 @@
 Rails.application.routes.draw do
   # For details on the DSL available within this file, see https://guides.rubyonrails.org/routing.html
   root to: 'home#show'
+  get '/reset-user', to: 'home#reset_user'
 
   resource :session, only: %i[create]
 

spec/dummy/spec/requests/auth_request_spec.rb

@@ -182,6 +182,15 @@
         expect(session.id).not_to eq previous_id
       end
 
+      it 'does not use cached user if session is reset' do
+        post '/auth/rpi'
+        follow_redirect!
+
+        get reset_user_path
+
+        expect(response.body).to include('Log in')
+      end
+
       context 'when session_keys_to_persist is set' do
         let(:session_keys_to_persist) { 'foo' }