Headless `SessionView` for `APP` client creates an unnecessary session
joonhyungshin opened this issue · comments
In an APP
context, when the client invokes DELETE on SessionView
, a new empty and useless session is created in the session store and an associated session token is present in the response. Because this new session is empty, it can't be used to authenticate, so fortunately there isn't any security issue related to this.
In short, the following test fails:
def test_logout_no_token(app_client, user):
app_client.force_login(user)
resp = app_client.get(reverse("headless:app:account:current_session"))
assert resp.status_code == 200
resp = app_client.delete(reverse("headless:app:account:current_session"))
assert resp.status_code == 401
assert "session_token" not in resp.json()["meta"]
The problem is that Django's logout()
function flushes the session which sets session.modified = True
, but expose_session_token()
attempts to create a new session token if session.modified = True
. A simple fix would be to also check if the session data is empty.