better error handling for session revocation if no login session is present, #4214

9 years ago · 71a5e4a8a1
parent 4ce8696bbc
commit 71a5e4a8a1
4 changed files with 14 additions and 4 deletions
--- a/public/src/client/account/settings.js
+++ b/public/src/client/account/settings.js
@ -113,7 +113,7 @@ define('forum/account/settings', ['forum/account/header', 'components'], functio
 				// This is done via DELETE because a user shouldn't be able to
 				// revoke his own session! This is what logout is for
 				$.ajax({
-					url: config.relative_path + '/user/' + ajaxify.data.userslug + '/session/' + uuid,
+					url: config.relative_path + '/api/user/' + ajaxify.data.userslug + '/session/' + uuid,
 					method: 'delete',
 					headers: {
 						'x-csrf-token': config.csrf_token
@ -121,7 +121,15 @@ define('forum/account/settings', ['forum/account/header', 'components'], functio
 				}).done(function() {
 					parentEl.remove();
 				}).fail(function(err) {
-					app.alertError(err.responseText);
+					try {
+						var errorObj = JSON.parse(err.responseText);
+						if (errorObj.loggedIn === false) {
+							window.location.href = config.relative_path + '/login?error=' + errorObj.title;
+						}
+						app.alertError(errorObj.title);
+					} catch (e) {
+						app.alertError('[[error:invalid-data]]');
+					}
 				});
 			}
 		});
--- a/src/controllers/index.js
+++ b/src/controllers/index.js
@ -108,6 +108,8 @@ Controllers.login = function(req, res, next) {
 	var errorText;
 	if (req.query.error === 'csrf-invalid') {
 		errorText = '[[error:csrf-invalid]]';
+	} else if (req.query.error) {
+		errorText = req.query.error;
 	}

 	data.alternate_logins = loginStrategies.length > 0;
--- a/src/middleware/middleware.js
+++ b/src/middleware/middleware.js
@ -287,7 +287,7 @@ middleware.requireUser = function(req, res, next) {
 		return next();
 	}

-	res.render('403', {title: '[[global:403.title]]'});
+	res.status(403).render('403', {title: '[[global:403.title]]'});
 };

 middleware.privateUploads = function(req, res, next) {
--- a/src/routes/accounts.js
+++ b/src/routes/accounts.js
@ -28,7 +28,7 @@ module.exports = function (app, middleware, controllers) {
 	setupPageRoute(app, '/user/:userslug/info', middleware, accountMiddlewares, controllers.accounts.info.get);
 	setupPageRoute(app, '/user/:userslug/settings', middleware, accountMiddlewares, controllers.accounts.settings.get);

-	app.delete('/user/:userslug/session/:uuid', accountMiddlewares, controllers.accounts.session.revoke);
+	app.delete('/api/user/:userslug/session/:uuid', [middleware.requireUser, middleware.exposeUid], controllers.accounts.session.revoke);

 	setupPageRoute(app, '/notifications', middleware, [middleware.authenticate], controllers.accounts.notifications.get);
 	setupPageRoute(app, '/chats/:roomid?', middleware, [middleware.authenticate], controllers.accounts.chats.get);