From ea93630dbbf0bcfc3810120c8afef1d9a65ae913 Mon Sep 17 00:00:00 2001
From: CatalinVoineag <11318084+CatalinVoineag@users.noreply.github.com>
Date: Fri, 24 Jan 2025 12:31:48 +0000
Subject: [PATCH] Fix sandbox page redirect

On sandbox, when we log out the user. We redirect them to
contents#sandbox.

This controller is not properly setup to deal with one login, especially
when the one login feature is turned off.

Redirects from the page of this controller hit the Authentication. The
concern returns true that the candidate is signed but with db backed
session, not devise. So the user is stuck in a loop because devise
thinks the user is not signed in but our DB backed session concern says
it is.

Clearing the session fixes this issue.

In reality this should not happen because we don't attempt to use the db
session login when one login is off, in any of our other controllers.
But requests from this controller accesses the Authentication concern.

This commit tries to fix this by just clearing the session if one login
feature is not enabled, this will fix this issue. Ideally we would want
to not have this controller send requests to the Authentication concern
if one login is not enabled.
---
 app/controllers/concerns/authentication.rb | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/app/controllers/concerns/authentication.rb b/app/controllers/concerns/authentication.rb
index 1248939bf9f..8911ceaa773 100644
--- a/app/controllers/concerns/authentication.rb
+++ b/app/controllers/concerns/authentication.rb
@@ -23,9 +23,20 @@ def require_authentication
   end
 
   def resume_session
+    if !one_login_enabled?
+      terminate_session
+      return nil
+    end
+
     session = Current.session ||= find_session_by_cookie
-    session.touch if session.present?
-    session
+
+    if session.present?
+      session.touch
+      session
+    else
+      terminate_session
+      nil
+    end
   end
 
   def find_session_by_cookie