fix: encode session for ssr clients

2024-06-28 19:20:25 +12:00 · 2023-12-19 15:45:44 +00:00 · 2023-12-19 15:45:44 +00:00 · 1b6a833bed
parent 2c5c799d13
commit 1b6a833bed
3 changed files with 8 additions and 7 deletions
--- a/app/controllers/api/account.php
+++ b/app/controllers/api/account.php
@ -278,7 +278,7 @@ App::post('/v1/account/sessions/email')
            ->setAttribute('current', true)
            ->setAttribute('countryName', $countryName)
            ->setAttribute('expire', $expire)
-            ->setAttribute('secret', ($isPrivilegedUser || $isAppUser) ? $secret : '')
+            ->setAttribute('secret', ($isPrivilegedUser || $isAppUser) ? Auth::encodeSession($user->getId(), $secret) : '')
        ;

        $queueForEvents
@ -1242,7 +1242,7 @@ App::put('/v1/account/sessions/token')
            ->setAttribute('current', true)
            ->setAttribute('countryName', $countryName)
            ->setAttribute('expire', $expire)
-            ->setAttribute('secret', ($isPrivilegedUser || $isAppUser) ? $sessionSecret : '')
+            ->setAttribute('secret', ($isPrivilegedUser || $isAppUser) ? Auth::encodeSession($user->getId(), $sessionSecret) : '')
        ;

        $response->dynamic($session, Response::MODEL_SESSION);
@ -1377,7 +1377,7 @@ App::post('/v1/account/tokens/phone')
        );

        // Hide secret for clients
-        $token->setAttribute('secret', ($isPrivilegedUser || $isAppUser) ? $secret : '');
+        $token->setAttribute('secret', ($isPrivilegedUser || $isAppUser) ? Auth::encodeSession($user->getId(), $secret) : '');

        $response
            ->setStatusCode(Response::STATUS_CODE_CREATED)
@ -1520,7 +1520,7 @@ App::post('/v1/account/sessions/anonymous')
            ->setAttribute('current', true)
            ->setAttribute('countryName', $countryName)
            ->setAttribute('expire', $expire)
-            ->setAttribute('secret', ($isPrivilegedUser || $isAppUser) ? $secret : '')
+            ->setAttribute('secret', ($isPrivilegedUser || $isAppUser) ? Auth::encodeSession($user->getId(), $secret) : '')
        ;

        $response->dynamic($session, Response::MODEL_SESSION);
--- a/tests/e2e/Scopes/ProjectCustom.php
+++ b/tests/e2e/Scopes/ProjectCustom.php
@ -83,7 +83,8 @@ trait ProjectCustom
                'health.read',
                'rules.read',
                'rules.write',
-                'sessions'
+                'sessions',
+                'account'
            ],
        ]);

--- a/tests/e2e/Services/Account/AccountCustomServerTest.php
+++ b/tests/e2e/Services/Account/AccountCustomServerTest.php
@ -133,13 +133,13 @@ class AccountCustomServerTest extends Scope
        $this->assertNotEmpty($response['body']['secret']);

        $sessionId = $response['body']['$id'];
-        $session = $response['cookies']['a_session_' . $this->getProject()['$id']];
+        $session = $response['body']['secret'];

        $response = $this->client->call(Client::METHOD_GET, '/account', array_merge(
            [
                'content-type' => 'application/json',
                'x-appwrite-project' => $this->getProject()['$id'],
-                'cookie' => 'a_session_' . $this->getProject()['$id'] . '=' . $session,
+                'x-appwrite-session' => $session
            ],
            $this->getHeaders()
        ));