TDD step 8: Logout request spec

Fivell · Fivell · commit 1c2870e44da6 · 2026-04-09T21:04:11.000+02:00
Verifies that DELETE /admin/logout clears the session via Devise's stock
flow, that subsequent admin requests bounce back to the login page, that
it's idempotent when already signed out, and crucially that WebMock sees
no outbound HTTP to the IdP — the gem deliberately keeps logout local.
diff --git a/spec/dummy/app/assets/config/manifest.js b/spec/dummy/app/assets/config/manifest.js
@@ -1,2 +1,3 @@
 //= link active_admin.css
+//= link active_admin.js
 
diff --git a/spec/dummy/app/assets/javascripts/active_admin.js b/spec/dummy/app/assets/javascripts/active_admin.js
@@ -0,0 +1 @@
+// stub for specs — ActiveAdmin layout references this file
diff --git a/spec/requests/logout_spec.rb b/spec/requests/logout_spec.rb
@@ -0,0 +1,65 @@
+# frozen_string_literal: true
+
+require "rails_helper"
+
+# Verifies that signing out goes through Devise's stock session destroy
+# and does NOT hit the IdP's end_session_endpoint. The gem intentionally
+# keeps logout local — hosts that want RP-initiated single-logout can
+# override the destroy action themselves.
+RSpec.describe "Logout", type: :request do
+  include Devise::Test::IntegrationHelpers
+
+  before do
+    ActiveAdmin::Oidc.configure do |c|
+      c.issuer    = "https://idp.example.com"
+      c.client_id = "client-abc"
+      c.on_login  = ->(*) { true }
+    end
+
+    AdminUser.delete_all
+  end
+
+  let!(:admin_user) do
+    AdminUser.create!(
+      email:    "alice@example.com",
+      provider: "oidc",
+      uid:      "sub-123"
+    )
+  end
+
+  context "with a signed-in admin user" do
+    before { sign_in admin_user }
+
+    it "clears the session and redirects to the login page" do
+      # sanity: we can reach /admin while signed in
+      get "/admin"
+      expect(response).to have_http_status(:ok).or have_http_status(:redirect)
+
+      delete "/admin/logout"
+      expect(response).to be_redirect
+
+      # Subsequent admin request is bounced back to the login page.
+      get "/admin"
+      expect(response).to redirect_to("/admin/login")
+    end
+
+    it "does not hit the IdP end_session endpoint" do
+      WebMock.reset!
+      stub_any = WebMock.stub_request(:any, /idp\.example\.com/)
+
+      delete "/admin/logout"
+
+      expect(stub_any).not_to have_been_requested
+    end
+  end
+
+  context "when already signed out" do
+    it "is idempotent and still redirects to login" do
+      delete "/admin/logout"
+      expect(response).to be_redirect
+
+      get "/admin"
+      expect(response).to redirect_to("/admin/login")
+    end
+  end
+end

Original file line number	Diff line number	Diff line change
`@@ -1,2 +1,3 @@`
`1`	`1`	`//= link active_admin.css`
	`2`	`+//= link active_admin.js`
`2`	`3`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+// stub for specs — ActiveAdmin layout references this file`