Merge pull request #386 from multinet-app/remove-cookie

Remove session cookie on logout

multinet/auth/__init__.py

@@ -5,7 +5,7 @@
 from flask.blueprints import Blueprint
 from werkzeug.wrappers import Response as ResponseWrapper
 
-from multinet.user import load_user_from_cookie, filtered_user
+from multinet.user import load_user_from_cookie, filtered_user, delete_user_cookie
 
 MULTINET_COOKIE = "multinet-token"
 
@@ -36,5 +36,12 @@ def user_info() -> ResponseWrapper:
 def logout() -> ResponseWrapper:
     """Return the filtered user object."""
 
-    session.pop(MULTINET_COOKIE, None)
+    # Instruct the browser to delete its session cookie, if it exists.
+    cookie = session.pop(MULTINET_COOKIE, None)
+    if cookie is not None:
+        # Load the user model and invalidate its session.
+        user = load_user_from_cookie(cookie)
+        if user is not None:
+            delete_user_cookie(user)
+
     return make_response("", 200)

multinet/user.py

@@ -72,6 +72,16 @@ def set_user_cookie(user: User) -> User:
     return updated_user(new_user)
 
 
+def delete_user_cookie(user: User) -> User:
+    """Delete the user cookie."""
+    user_copy = copy_user(user)
+
+    # Remove the session object from the user record, then persist that to the
+    # database.
+    user_copy.multinet.session = None
+    return updated_user(user_copy)
+
+
 def load_user_from_cookie(cookie: str) -> Optional[User]:
     """Use provided cookie to load a user, return None if they dont exist."""
     coll = user_collection()

requirements.txt

@@ -14,7 +14,7 @@ flask-cors==3.0.8
 flask==1.1.1
 gunicorn==20.0.4
 idna==2.8
-importlib-metadata==1.6.0 ; python_version < '3.8'
+importlib-metadata==1.6.0; python_version < '3.8'
 itsdangerous==1.1.0
 jinja2==3.0.0a1
 jsonschema==3.2.0