Sign user + gestionnaire in (OpenSimplif)

Hacks into users/sessions to sign in and sign out a gestionnaire
and/or a user at the same time, as long as credentials are
identical (same email, same password).

app/controllers/users/sessions_controller.rb

@@ -22,27 +22,45 @@ class Users::SessionsController < Sessions::SessionsController
 
 #POST /resource/sign_in
   def create
-    super
+    try_to_authenticate(User)
+    try_to_authenticate(Gestionnaire)
 
-    current_user.update_attributes(loged_in_with_france_connect: '')
+    if user_signed_in?
+      current_user.update_attributes(loged_in_with_france_connect: '')
+    end
+
+    if gestionnaire_signed_in?
+      redirect_to backoffice_path
+    elsif user_signed_in?
+      redirect_to after_sign_in_path_for(:user)
+    else
+      new
+      render :new, status: 401
+    end
   end
 
 # DELETE /resource/sign_out
   def destroy
-    connected_with_france_connect = current_user.loged_in_with_france_connect
-    current_user.update_attributes(loged_in_with_france_connect: '')
-
-    signed_out = (Devise.sign_out_all_scopes ? sign_out : sign_out(resource_name))
-    set_flash_message :notice, :signed_out if signed_out && is_flashing_format?
-    yield if block_given?
-
-    if connected_with_france_connect == 'entreprise'
-      redirect_to FRANCE_CONNECT.entreprise_logout_endpoint
-    elsif connected_with_france_connect == 'particulier'
-      redirect_to FRANCE_CONNECT.particulier_logout_endpoint
-    else
-      respond_to_on_destroy
+    if gestionnaire_signed_in?
+      sign_out :gestionnaire
     end
+
+    if user_signed_in?
+      connected_with_france_connect = current_user.loged_in_with_france_connect
+      current_user.update_attributes(loged_in_with_france_connect: '')
+
+      sign_out :user
+
+      if connected_with_france_connect == 'entreprise'
+        redirect_to FRANCE_CONNECT.entreprise_logout_endpoint
+        return
+      elsif connected_with_france_connect == 'particulier'
+        redirect_to FRANCE_CONNECT.particulier_logout_endpoint
+        return
+      end
+    end
+
+    respond_to_on_destroy
   end
 
   def no_procedure
@@ -62,4 +80,13 @@ class Users::SessionsController < Sessions::SessionsController
 
     NumberService.to_number session["user_return_to"].split("?procedure_id=").second
   end
+
+  def try_to_authenticate(klass)
+    if resource = klass.find_for_database_authentication(email: params[:user][:email])
+      if resource.valid_password?(params[:user][:password])
+        sign_in resource
+        set_flash_message :notice, :signed_in
+      end
+    end
+  end
 end

spec/controllers/users/sessions_controller_spec.rb

@@ -33,6 +33,41 @@ describe Users::SessionsController, type: :controller do
 
       it { is_expected.to be_falsey }
     end
+
+    context "when associated gestionnaire" do
+      let(:user) { create(:user, email: 'unique@plop.com', password: 'password') }
+      let(:gestionnaire) { create(:gestionnaire, email: 'unique@plop.com', password: 'password') }
+
+      it 'signs user in' do
+        post :create, user: { email: user.email, password: user.password }
+        expect(@response.redirect?).to be(true)
+        expect(subject.current_user).to eq(user)
+        expect(subject.current_gestionnaire).to be(nil)
+        expect(user.reload.loged_in_with_france_connect).to be(nil)
+      end
+
+      it 'signs gestionnaire in' do
+        post :create, user: { email: gestionnaire.email, password: gestionnaire.password }
+        expect(@response.redirect?).to be(true)
+        expect(subject.current_user).to be(nil)
+        expect(subject.current_gestionnaire).to eq(gestionnaire)
+      end
+
+      it 'signs user + gestionnaire in' do
+        post :create, user: { email: user.email, password: gestionnaire.password }
+        expect(@response.redirect?).to be(true)
+        expect(subject.current_user).to eq(user)
+        expect(subject.current_gestionnaire).to eq(gestionnaire)
+        expect(user.reload.loged_in_with_france_connect).to be(nil)
+      end
+
+      it 'fails to sign in with bad credentials' do
+        post :create, user: { email: user.email, password: 'wrong_password' }
+        expect(@response.unauthorized?).to be(true)
+        expect(subject.current_user).to be(nil)
+        expect(subject.current_gestionnaire).to be(nil)
+      end
+    end
   end
 
   describe '.destroy' do
@@ -66,6 +101,41 @@ describe Users::SessionsController, type: :controller do
         expect(response).to redirect_to(root_path)
       end
     end
+
+    context "when associated gestionnaire" do
+      let(:user) { create(:user, email: 'unique@plop.com', password: 'password') }
+      let(:gestionnaire) { create(:gestionnaire, email: 'unique@plop.com', password: 'password') }
+
+      it 'signs user out' do
+        sign_in user
+        delete :destroy
+        expect(@response.redirect?).to be(true)
+        expect(subject.current_user).to be(nil)
+      end
+
+      it 'signs gestionnaire out' do
+        sign_in gestionnaire
+        delete :destroy
+        expect(@response.redirect?).to be(true)
+        expect(subject.current_gestionnaire).to be(nil)
+      end
+
+      it 'signs user + gestionnaire out' do
+        sign_in user
+        sign_in gestionnaire
+        delete :destroy
+        expect(@response.redirect?).to be(true)
+        expect(subject.current_user).to be(nil)
+        expect(subject.current_gestionnaire).to be(nil)
+      end
+
+      it 'signs user out from france connect' do
+        user.update_attributes(loged_in_with_france_connect: 'particulier')
+        sign_in user
+        delete :destroy
+        expect(@response.headers["Location"]).to eq(FRANCE_CONNECT.particulier_logout_endpoint)
+      end
+    end
   end
 
   describe '.new' do
@@ -106,4 +176,4 @@ describe Users::SessionsController, type: :controller do
       end
     end
   end
-end
+end