From 3d792030fd39f801149a54c9e7228b8552daaf80 Mon Sep 17 00:00:00 2001 From: Kenneth Lee Date: Tue, 3 Sep 2024 18:17:56 +0100 Subject: [PATCH] Sign out link on mismatch organisation failure page * Actually calls the DSI logout endpoint * Set a post logout redirect uri back to Claim * Goes back to the Start no sign-in page with a flash message --- .env.test | 1 + .../omniauth_callbacks_controller.rb | 15 +++++++++ .../further_education_payments/provider.rb | 15 +++++++++ ...nauthorised_organisation_mismatch.html.erb | 4 ++- config/routes.rb | 1 + .../provider_verifying_claims_spec.rb | 2 ++ .../omniauth_callbacks_controller_spec.rb | 31 +++++++++++++++++++ 7 files changed, 68 insertions(+), 1 deletion(-) diff --git a/.env.test b/.env.test index 4e7f78cd84..ed980aeb7e 100644 --- a/.env.test +++ b/.env.test @@ -1,6 +1,7 @@ DFE_SIGN_IN_API_CLIENT_ID=teacherpayments DFE_SIGN_IN_API_SECRET=secret DFE_SIGN_IN_API_ENDPOINT=https://example.com +DFE_SIGN_IN_ISSUER=https://issuer.example.com DQT_API_URL=https://teacher-qualifications-api.education.gov.uk/ DQT_API_KEY=1a2b3c4d5e6f7g8h9i0 diff --git a/app/controllers/omniauth_callbacks_controller.rb b/app/controllers/omniauth_callbacks_controller.rb index f0d51b5dbd..19b1b6b153 100644 --- a/app/controllers/omniauth_callbacks_controller.rb +++ b/app/controllers/omniauth_callbacks_controller.rb @@ -29,6 +29,21 @@ def failure end end + def sign_out + case current_journey_routing_name + when "further-education-payments-provider" + redirect_to( + claim_path( + journey: current_journey_routing_name, + slug: "sign-in" + ), + notice: "You've been signed out" + ) + else + render file: Rails.root.join("public", "404.html"), status: :not_found, layout: false + end + end + def onelogin core_identity_jwt = omniauth_hash.extra.raw_info[ONELOGIN_JWT_CORE_IDENTITY_HASH_KEY] return process_one_login_identity_verification_callback(core_identity_jwt) if core_identity_jwt diff --git a/app/models/journeys/further_education_payments/provider.rb b/app/models/journeys/further_education_payments/provider.rb index d6d79b4c10..ddb3df810f 100644 --- a/app/models/journeys/further_education_payments/provider.rb +++ b/app/models/journeys/further_education_payments/provider.rb @@ -27,6 +27,21 @@ def self.request_service_access_url(session) "users", session.answers.dfe_sign_in_uid ].join("/") end + + def self.sign_out_url + dfe_sign_out_redirect_uri = URI.join(ENV.fetch("DFE_SIGN_IN_ISSUER"), "/session/end") + + post_logout_redirect_uri = URI.join(ENV.fetch("DFE_SIGN_IN_REDIRECT_BASE_URL"), "/further-education-payments-provider/auth/sign-out") + client_id = DfeSignIn.configuration.client_id + + params = { + post_logout_redirect_uri:, + client_id: + } + + dfe_sign_out_redirect_uri.query = URI.encode_www_form(params) + dfe_sign_out_redirect_uri.to_s + end end end end diff --git a/app/views/further_education_payments/provider/claims/_unauthorised_organisation_mismatch.html.erb b/app/views/further_education_payments/provider/claims/_unauthorised_organisation_mismatch.html.erb index 5779c1faa0..febcdabad4 100644 --- a/app/views/further_education_payments/provider/claims/_unauthorised_organisation_mismatch.html.erb +++ b/app/views/further_education_payments/provider/claims/_unauthorised_organisation_mismatch.html.erb @@ -12,7 +12,9 @@ that you have logged in using the correct one.

-

+<%= govuk_button_link_to "Sign out", Journeys::FurtherEducationPayments::Provider.sign_out_url %> + +

Email <%= govuk_mail_to("FE-Levellingup.PremiumPayments@education.gov.uk") %> if you have logged in with the correct organisation and need support.

diff --git a/config/routes.rb b/config/routes.rb index ebc26afad7..10d7c66cae 100644 --- a/config/routes.rb +++ b/config/routes.rb @@ -86,6 +86,7 @@ def matches?(request) scope constraints: {journey: "further-education-payments-provider"} do get "auth/callback", to: "omniauth_callbacks#callback" + get "auth/sign-out", to: "omniauth_callbacks#sign_out" end scope path: "/", constraints: {journey: Regexp.new(Journeys.all_routing_names.join("|"))} do diff --git a/spec/features/further_education_payments/provider/provider_verifying_claims_spec.rb b/spec/features/further_education_payments/provider/provider_verifying_claims_spec.rb index ff6ed7b41c..449b1ece24 100644 --- a/spec/features/further_education_payments/provider/provider_verifying_claims_spec.rb +++ b/spec/features/further_education_payments/provider/provider_verifying_claims_spec.rb @@ -128,6 +128,8 @@ expect(page).to have_text( "The organisation you have used to log in to DfE Sign-in does not match the organisation in the claim." ) + + expect(page).to have_link("Sign out", href: Journeys::FurtherEducationPayments::Provider.sign_out_url) end scenario "provider visits claim with the wrong role" do diff --git a/spec/requests/omniauth_callbacks_controller_spec.rb b/spec/requests/omniauth_callbacks_controller_spec.rb index e5731067e3..273c02f746 100644 --- a/spec/requests/omniauth_callbacks_controller_spec.rb +++ b/spec/requests/omniauth_callbacks_controller_spec.rb @@ -1,6 +1,37 @@ require "rails_helper" RSpec.describe "OmniauthCallbacksControllers", type: :request do + describe "#sign_out" do + before do + allow_any_instance_of(OmniauthCallbacksController).to receive(:current_journey_routing_name).and_return(journey) + + get auth_sign_out_path(journey: "further-education-payments-provider") + end + + context "further education payments provider journey" do + let(:journey) { Journeys::FurtherEducationPayments::Provider::ROUTING_NAME } + + it "redirects to the FE sign-in page with a flash message" do + expect(response).to redirect_to( + claim_path( + journey: "further-education-payments-provider", + slug: "sign-in" + ) + ) + + expect(flash[:notice]).to include("You've been signed out") + end + end + + context "no journey returns a 404" do + let(:journey) { nil } + + it "404 page" do + expect(response.body).to include("Page not found") + end + end + end + describe "#callback" do def set_mock_auth(trn) OmniAuth.config.mock_auth[:default] = OmniAuth::AuthHash.new(