Only clear the auth cache after login/logout when using cookie-based auth

When using cookie-based auth, login / logout happens via HTTP requests made by the "session" service and the auth service has to be explicitly notified afterwards via `auth.clearCache()`. When using OAuth-based auth on the other hand, login / logout happens through the auth service itself, so there is no need to ask the auth service to clear cached credentials afterwards.

Only clear the auth cache after login/logout when using cookie-based auth
When using cookie-based auth, login / logout happens via HTTP requests made by the "session" service and the auth service has to be explicitly notified afterwards via `auth.clearCache()`. When using OAuth-based auth on the other hand, login / logout happens through the auth service itself, so there is no need to ask the auth service to clear cached credentials afterwards.
1a2c4aac · Robert Knight · e7f1793c · 1a2c4aac · 1a2c4aac
Commit 1a2c4aac authored Jul 17, 2017 by Robert Knight
Show whitespace changes
Inline Side-by-side

Showing with 17 additions and 10 deletions

session.js src/sidebar/session.js +15 -5

session-test.js src/sidebar/test/session-test.js +2 -5

No files found.
--- a/src/sidebar/session.js
+++ b/src/sidebar/session.js
@@ -150,7 +150,12 @@ function session($http, $q, $resource, $rootScope, analytics, annotationUI, auth
    lastLoadTime = Date.now();

    if (userChanged) {
-      if (!getAuthority()) {
+      if (!auth.login) {
+        // When using cookie-based auth, notify the auth service that the current
+        // login has changed and API tokens need to be invalidated.
+        //
+        // This is not needed for OAuth-based auth because all login/logout
+        // activities happen through the auth service itself.
        auth.clearCache();
      }

@@ -223,12 +228,17 @@ function session($http, $q, $resource, $rootScope, analytics, annotationUI, auth
        return reload();
      });
    } else {
-      loggedOut = resource.logout().$promise;
+      loggedOut = resource.logout().$promise.then(() => {
+        // When using cookie-based auth, notify the auth service that the current
+        // login has changed and API tokens need to be invalidated.
+        //
+        // This is not needed for OAuth-based auth because all login/logout
+        // activities happen through the auth service itself.
+        auth.clearCache();
+      });
    }

-    return loggedOut.then(function () {
-      auth.clearCache();
-    }).catch(function (err) {
+    return loggedOut.catch(function (err) {
      flash.error('Log out failed');
      analytics.track(analytics.events.LOGOUT_FAILURE);
      return $q.reject(new Error(err));

--- a/src/sidebar/test/session-test.js
+++ b/src/sidebar/test/session-test.js
@@ -295,11 +295,8 @@ describe('session', function () {
      });
    });

-    it('does not clear the access token when the host page provides a grant token', function () {
-      fakeServiceConfig.returns({
-        authority: 'publisher.org',
-        grantToken: 'a.jwt.token',
-      });
+    it('does not clear the access token when using OAuth-based authorization', function () {
+      fakeAuth.login = Promise.resolve();

      session.update({userid: 'different-user', csrf: 'dummytoken'});