Invalidate OAuth session after web_sessions cache expiration

When web_sessions cache is expired, OAuth session preserves it
logged in state. This makes new sign-in impossible.

Rectify it by checking the states mismatch and invalidating OAuth
session when web_sessions cache was expired.

GitHub-Bug: https://github.com/davido/gerrit-oauth-provider/issues/5
Change-Id: I3d57193c5af29561fd1fac0804dd19c08a0e9dbe

1 files changed, 5 insertions, 1 deletions

diff --git a/gerrit-oauth/src/main/java/com/google/gerrit/httpd/auth/oauth/OAuthWebFilter.java b/gerrit-oauth/src/main/java/com/google/gerrit/httpd/auth/oauth/OAuthWebFilter.java
index 7f93437fbe..48963a6e51 100644
--- a/gerrit-oauth/src/main/java/com/google/gerrit/httpd/auth/oauth/OAuthWebFilter.java
+++ b/gerrit-oauth/src/main/java/com/google/gerrit/httpd/auth/oauth/OAuthWebFilter.java
@@ -89,18 +89,22 @@ class OAuthWebFilter implements Filter {
       FilterChain chain) throws IOException, ServletException {
     HttpServletRequest httpRequest = (HttpServletRequest) request;
     HttpSession httpSession = ((HttpServletRequest) request).getSession(false);
+    OAuthSession oauthSession = oauthSessionProvider.get();
     if (currentUserProvider.get().isIdentifiedUser()) {
       if (httpSession != null) {
         httpSession.invalidate();
       }
       chain.doFilter(request, response);
       return;
+    } else {
+      if (oauthSession.isLoggedIn()) {
+        oauthSession.logout();
+      }
     }
 
     HttpServletResponse httpResponse = (HttpServletResponse) response;
 
     String provider = httpRequest.getParameter("provider");
-    OAuthSession oauthSession = oauthSessionProvider.get();
     OAuthServiceProvider service = ssoProvider == null
         ? oauthSession.getServiceProvider()
         : ssoProvider;