Fixed #25029 -- Added PersistentRemoteUserMiddleware for login-page-only external authentication.

1 files changed, 23 insertions, 0 deletions

diff --git a/tests/auth_tests/test_remote_user.py b/tests/auth_tests/test_remote_user.py
index d0f3f2283f..a413b97ee4 100644
--- a/tests/auth_tests/test_remote_user.py
+++ b/tests/auth_tests/test_remote_user.py
@@ -232,3 +232,26 @@ class CustomHeaderRemoteUserTest(RemoteUserTest):
         'auth_tests.test_remote_user.CustomHeaderMiddleware'
     )
     header = 'HTTP_AUTHUSER'
+
+
+class PersistentRemoteUserTest(RemoteUserTest):
+    """
+    PersistentRemoteUserMiddleware keeps the user logged in even if the
+    subsequent calls do not contain the header value.
+    """
+    middleware = 'django.contrib.auth.middleware.PersistentRemoteUserMiddleware'
+    require_header = False
+
+    def test_header_disappears(self):
+        """
+        A logged in user is kept logged in even if the REMOTE_USER header
+        disappears during the same browser session.
+        """
+        User.objects.create(username='knownuser')
+        # Known user authenticates
+        response = self.client.get('/remote_user/', **{self.header: self.known_user})
+        self.assertEqual(response.context['user'].username, 'knownuser')
+        # Should stay logged in if the REMOTE_USER header disappears.
+        response = self.client.get('/remote_user/')
+        self.assertEqual(response.context['user'].is_anonymous(), False)
+        self.assertEqual(response.context['user'].username, 'knownuser')