From 7b4d5536c9df9673937deb0670b11240c02ce5a1 Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Sun, 2 Sep 2018 06:00:06 +0200
Subject: Fripost::Session: Forget credentials when destroying the session.

---
 lib/Fripost/Session.pm | 6 +++++-
 run.psgi               | 1 +
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/lib/Fripost/Session.pm b/lib/Fripost/Session.pm
index 8cf6405..4408cf8 100644
--- a/lib/Fripost/Session.pm
+++ b/lib/Fripost/Session.pm
@@ -103,9 +103,10 @@ sub authenticate($%) {
     return $fp;
 }
 
-# authenticate(OPTION => VALUE, ..)
+# destroy(OPTION => VALUE, ..)
 #   Create a new Fripost object, authenticate (using SASL proxy
 #   authorization), and delete the entry on the LDAP backend.
+#   The object shouldn't be used after using this method.
 sub destroy($%) {
     my $self = shift;
     my %conf = @_;
@@ -117,6 +118,9 @@ sub destroy($%) {
     my $r = $fp->{_ldap}->delete($dn);
     $fp->croak("LDAP error code %i: %s\n", $r->code, $r->error)
         unless $r->code == LDAP_SUCCESS;
+
+   # forget credentials in the object (now a blessed empty hash reference)
+   undef %$self;
 }
 
 1;
diff --git a/run.psgi b/run.psgi
index 8389118..3d5c90d 100644
--- a/run.psgi
+++ b/run.psgi
@@ -280,6 +280,7 @@ $builder->mount($WELCOME_PAGE => sub($) {
         die "Internal error: ", $@;
     } else {
         # something went wrong...
+        $tmpl_params{AUTHZID} = "oops";
     }
 
     render( $req, "overview.html", %tmpl_params );
-- 
cgit v1.2.3