exclude revoked session when authenticating.

3 files changed, 14 insertions, 1 deletions

diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb
index 19978bd..c50b95f 100644
--- a/app/controllers/sessions_controller.rb
+++ b/app/controllers/sessions_controller.rb
@@ -23,6 +23,7 @@ class SessionsController < ApplicationController
   def destroy
     reset_session
     cookies.delete(:raphael)
+    current_session.revoke!
     redirect_to new_session_path
   end
 end
diff --git a/app/models/session.rb b/app/models/session.rb
index 7d39c9c..3365607 100644
--- a/app/models/session.rb
+++ b/app/models/session.rb
@@ -19,8 +19,12 @@ class Session < ActiveRecord::Base
   end
 
   class << self
+    def active
+      where(revoked_at: nil)
+    end
+
     def authenticate!(session_key)
-      Session.find(session_key)
+      active.find(session_key)
     end
   end
 end
diff --git a/spec/models/session_spec.rb b/spec/models/session_spec.rb
index acd6cad..6c20b1c 100644
--- a/spec/models/session_spec.rb
+++ b/spec/models/session_spec.rb
@@ -24,6 +24,14 @@ describe Session do
         expect(-> { Session.authenticate!('blah') }).to raise_error(ActiveRecord::RecordNotFound)
       end
     end
+
+    context "when the session key is revoked" do
+      let(:revoked_session) { create(:session, revoked_at: Time.now) }
+
+      it 'raises an error' do
+        expect(-> { Session.authenticate(revoked_session.id) }).to raise_error
+      end
+    end
   end
 
   context "#revoke!" do