changeset 58:9f392276d614

Graceful handling of OpenID providers that log the user in as the wrong identifier
author Adam Chlipala <adam@chlipala.net>
date Tue, 09 Aug 2011 09:53:40 -0400
parents 748dd8a2e3a2
children 3113591ba7f0
files src/ur/openidUser.ur tests/utest.ur
diffstat 2 files changed, 6 insertions(+), 2 deletions(-) [+]
line wrap: on
line diff
--- a/src/ur/openidUser.ur	Wed Aug 03 08:17:21 2011 -0400
+++ b/src/ur/openidUser.ur	Tue Aug 09 09:53:40 2011 -0400
@@ -92,6 +92,9 @@
             else
                 currentUrl
 
+    val wrongUser =
+        error <xml>Session not authorized to act as user.  Did your OpenID provider log you in as a different user than you expected?  Try logging out at your provider first, then <a href={M.afterLogout}>return to the home page</a>.</xml>
+
     fun current' tweakSession =
         login <- getCookie auth;
         case login of
@@ -112,7 +115,8 @@
                      tweakSession login.Session;
                      return (Some login.User)
                  else
-                     error <xml>Session not authorized to act as user</xml>)
+                     clearCookie auth;
+                     redirect (url wrongUser))
           | _ => return None
 
     val current = current' (fn _ => return ())
--- a/tests/utest.ur	Wed Aug 03 08:17:21 2011 -0400
+++ b/tests/utest.ur	Tue Aug 09 09:53:40 2011 -0400
@@ -8,7 +8,7 @@
                                   val secureCookies = False
                                   val association = Openid.Stateful {AssociationType = Openid.HMAC_SHA256,
                                                                      AssociationSessionType = Openid.NoEncryption}
-                                  val realm = None
+                                  val realm = Some "http://localhost:8080/"
 
                                   val creationState =
                                       n <- source "";