Sign out link on mismatch organisation failure page

* Actually calls the DSI logout endpoint * Set a post logout redirect uri back to Claim * Goes back to the Start no sign-in page with a flash message
DFE-Digital · Sep 3, 2024 · 3d79203 · 3d79203
1 parent 2699366
commit 3d79203
Show file tree

Hide file tree

Showing 7 changed files with 68 additions and 1 deletion.
diff --git a/.env.test b/.env.test
@@ -1,6 +1,7 @@
 DFE_SIGN_IN_API_CLIENT_ID=teacherpayments
 DFE_SIGN_IN_API_SECRET=secret
 DFE_SIGN_IN_API_ENDPOINT=https://example.com
+DFE_SIGN_IN_ISSUER=https://issuer.example.com
 
 DQT_API_URL=https://teacher-qualifications-api.education.gov.uk/
 DQT_API_KEY=1a2b3c4d5e6f7g8h9i0

diff --git a/app/controllers/omniauth_callbacks_controller.rb b/app/controllers/omniauth_callbacks_controller.rb
@@ -29,6 +29,21 @@ def failure
     end
   end
 
+  def sign_out
+    case current_journey_routing_name
+    when "further-education-payments-provider"
+      redirect_to(
+        claim_path(
+          journey: current_journey_routing_name,
+          slug: "sign-in"
+        ),
+        notice: "You've been signed out"
+      )
+    else
+      render file: Rails.root.join("public", "404.html"), status: :not_found, layout: false
+    end
+  end
+
   def onelogin
     core_identity_jwt = omniauth_hash.extra.raw_info[ONELOGIN_JWT_CORE_IDENTITY_HASH_KEY]
     return process_one_login_identity_verification_callback(core_identity_jwt) if core_identity_jwt

diff --git a/app/models/journeys/further_education_payments/provider.rb b/app/models/journeys/further_education_payments/provider.rb
@@ -27,6 +27,21 @@ def self.request_service_access_url(session)
           "users", session.answers.dfe_sign_in_uid
         ].join("/")
       end
+
+      def self.sign_out_url
+        dfe_sign_out_redirect_uri = URI.join(ENV.fetch("DFE_SIGN_IN_ISSUER"), "/session/end")
+
+        post_logout_redirect_uri = URI.join(ENV.fetch("DFE_SIGN_IN_REDIRECT_BASE_URL"), "/further-education-payments-provider/auth/sign-out")
+        client_id = DfeSignIn.configuration.client_id
+
+        params = {
+          post_logout_redirect_uri:,
+          client_id:
+        }
+
+        dfe_sign_out_redirect_uri.query = URI.encode_www_form(params)
+        dfe_sign_out_redirect_uri.to_s
+      end
     end
   end
 end
diff --git a/...s/further_education_payments/provider/claims/_unauthorised_organisation_mismatch.html.erb b/...s/further_education_payments/provider/claims/_unauthorised_organisation_mismatch.html.erb
@@ -12,7 +12,9 @@
   that you have logged in using the correct one.
 </p>
 
-<p class="govuk-body govuk-!-margin-top-6">
+<%= govuk_button_link_to "Sign out", Journeys::FurtherEducationPayments::Provider.sign_out_url %>
+
+<p class="govuk-body">
   Email <%= govuk_mail_to("[email protected]") %>
   if you have logged in with the correct organisation and need support.
 </p>
diff --git a/config/routes.rb b/config/routes.rb
@@ -86,6 +86,7 @@ def matches?(request)
 
     scope constraints: {journey: "further-education-payments-provider"} do
       get "auth/callback", to: "omniauth_callbacks#callback"
+      get "auth/sign-out", to: "omniauth_callbacks#sign_out"
     end
 
     scope path: "/", constraints: {journey: Regexp.new(Journeys.all_routing_names.join("|"))} do

diff --git a/spec/features/further_education_payments/provider/provider_verifying_claims_spec.rb b/spec/features/further_education_payments/provider/provider_verifying_claims_spec.rb
@@ -128,6 +128,8 @@
     expect(page).to have_text(
       "The organisation you have used to log in to DfE Sign-in does not match the organisation in the claim."
     )
+
+    expect(page).to have_link("Sign out", href: Journeys::FurtherEducationPayments::Provider.sign_out_url)
   end
 
   scenario "provider visits claim with the wrong role" do

diff --git a/spec/requests/omniauth_callbacks_controller_spec.rb b/spec/requests/omniauth_callbacks_controller_spec.rb
@@ -1,6 +1,37 @@
 require "rails_helper"
 
 RSpec.describe "OmniauthCallbacksControllers", type: :request do
+  describe "#sign_out" do
+    before do
+      allow_any_instance_of(OmniauthCallbacksController).to receive(:current_journey_routing_name).and_return(journey)
+
+      get auth_sign_out_path(journey: "further-education-payments-provider")
+    end
+
+    context "further education payments provider journey" do
+      let(:journey) { Journeys::FurtherEducationPayments::Provider::ROUTING_NAME }
+
+      it "redirects to the FE sign-in page with a flash message" do
+        expect(response).to redirect_to(
+          claim_path(
+            journey: "further-education-payments-provider",
+            slug: "sign-in"
+          )
+        )
+
+        expect(flash[:notice]).to include("You've been signed out")
+      end
+    end
+
+    context "no journey returns a 404" do
+      let(:journey) { nil }
+
+      it "404 page" do
+        expect(response.body).to include("Page not found")
+      end
+    end
+  end
+
   describe "#callback" do
     def set_mock_auth(trn)
       OmniAuth.config.mock_auth[:default] = OmniAuth::AuthHash.new(