Commit 526c3f2

mo khan <mo@mokhan.ca>
2014-11-15 17:11:31
exclude revoked session when authenticating.
main
1 parent 3692e15
Changed files (3)
app
controllers
sessions_controller.rb
models
session.rb
spec
models
session_spec.rb
app/controllers/sessions_controller.rb
@@ -23,6 +23,7 @@ class SessionsController < ApplicationController
   def destroy
     reset_session
     cookies.delete(:raphael)
+    current_session.revoke!
     redirect_to new_session_path
   end
 end
app/models/session.rb
@@ -19,8 +19,12 @@ class Session < ActiveRecord::Base
   end
 
   class << self
+    def active
+      where(revoked_at: nil)
+    end
+
     def authenticate!(session_key)
-      Session.find(session_key)
+      active.find(session_key)
     end
   end
 end
spec/models/session_spec.rb
@@ -24,6 +24,14 @@ describe Session do
         expect(-> { Session.authenticate!('blah') }).to raise_error(ActiveRecord::RecordNotFound)
       end
     end
+
+    context "when the session key is revoked" do
+      let(:revoked_session) { create(:session, revoked_at: Time.now) }
+
+      it 'raises an error' do
+        expect(-> { Session.authenticate(revoked_session.id) }).to raise_error
+      end
+    end
   end
 
   context "#revoke!" do