empayre/fleet
14
0
Fork 0
mirror of https://github.com/empayre/fleet.git synced 2024-11-06 08:55:24 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Logout to return HTTP 401 if unauthorized (#11190)

Browse Source 
#10798

- [X] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- ~[ ] Documented any API changes (docs/Using-Fleet/REST-API.md or
docs/Contributing/API-for-contributors.md)~
- ~[ ] Documented any permissions changes~
- ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)~
- ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for
new osquery data ingestion features.~
- [X] Added/updated tests
- [X] Manual QA for all new/changed functionality
  - For Orbit and Fleet Desktop changes:
- ~[ ] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.~
- ~[ ] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
This commit is contained in:
Lucas Manuel Rodriguez 2023-04-13 18:37:42 -03:00 committed by GitHub
parent c16184a647
commit 1797bf05c6
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
changes/issue-10798-unauthd-logout-return-401 Normal file
View File

@ -0,0 +1 @@
* Fix `/api/_version/fleet/logout` to return HTTP 401 if unauthorized.

2
server/service/integration_core_test.go
View File

@ -3329,7 +3329,7 @@ func (s *integrationTestSuite) TestUsers() {
s.DoJSON("POST", "/api/latest/fleet/logout", nil, http.StatusOK, &logoutResp)
// logout again, even though not logged in
s.DoJSON("POST", "/api/latest/fleet/logout", nil, http.StatusInternalServerError, &logoutResp) // TODO: should be OK even if not logged in, see #4406.
s.DoJSON("POST", "/api/latest/fleet/logout", nil, http.StatusUnauthorized, &logoutResp)
s.token = s.getTestAdminToken()

3
server/service/sessions.go
View File

@ -232,14 +232,13 @@ func (svc *Service) Logout(ctx context.Context) error {
logging.WithLevel(ctx, level.Info)
// TODO: this should not return an error if the user wasn't logged in
return svc.DestroySession(ctx)
}
func (svc *Service) DestroySession(ctx context.Context) error {
vc, ok := viewer.FromContext(ctx)
if !ok {
return fleet.ErrNoContext
return fleet.NewAuthRequiredError(fleet.ErrNoContext.Error())
}
session, err := svc.ds.SessionByID(ctx, vc.SessionID())