fix: clear all session data on logout (#5429)

edisile · web-flow · commit 0d7fa6189535 · 2025-10-23T13:45:59.000+02:00
diff --git a/tests/publisher/tests_account_logout.py b/tests/publisher/tests_account_logout.py
@@ -1,5 +1,6 @@
 import responses
 from tests.publisher.endpoint_testing import BaseTestCases
+from webapp.authentication import SESSION_DATA_KEYS
 
 # Make sure tests fail on stray responses.
 responses.mock.assert_all_requests_are_fired = True
@@ -13,8 +14,14 @@ def setUp(self):
 
     @responses.activate
     def test_logout(self):
+        with self.client.session_transaction() as session:
+            for key in SESSION_DATA_KEYS:
+                session[key] = "MOCK VALUE"
+
         response = self.client.get(self.endpoint_url)
 
         self.assertEqual(302, response.status_code)
 
         self.assertEqual("/", response.location)
+
+        self.assertIn("session=;", response.headers.get("Set-Cookie"))
diff --git a/webapp/authentication.py b/webapp/authentication.py
@@ -20,6 +20,18 @@
 ]
 
 
+SESSION_DATA_KEYS = [
+    "macaroons",
+    "macaroon_root",
+    "macaroon_discharge",
+    "publisher",
+    "github_auth_secret",
+    "developer_token",
+    "exchanged_developer_token",
+    "csrf_token",
+]  # keys for data stored in the session that should be cleared on logout
+
+
 def get_authorization_header(root, discharge):
     """
     Bind root and discharge macaroons and return the authorization header.
@@ -52,11 +64,8 @@ def empty_session(session):
     """
     Empty the session, used to logout.
     """
-    session.pop("macaroons", None)
-    session.pop("macaroon_root", None)
-    session.pop("macaroon_discharge", None)
-    session.pop("publisher", None)
-    session.pop("github_auth_secret", None)
+    for key in SESSION_DATA_KEYS:
+        session.pop(key, None)
 
 
 def get_caveat_id(root):
