From 6fb1e929cd53b755ddfecc55fb18f3111ade85c7 Mon Sep 17 00:00:00 2001 From: Jake Barnby Date: Tue, 27 Feb 2024 22:08:39 +1300 Subject: [PATCH] Use group hook to block recreating sessions --- app/controllers/api/account.php | 18 +++--------------- app/controllers/shared/api.php | 15 +++++++++++++++ 2 files changed, 18 insertions(+), 15 deletions(-) diff --git a/app/controllers/api/account.php b/app/controllers/api/account.php index ebc347edc6..6c748bec5a 100644 --- a/app/controllers/api/account.php +++ b/app/controllers/api/account.php @@ -228,10 +228,6 @@ App::post('/v1/account/sessions/email') ->inject('queueForEvents') ->inject('hooks') ->action(function (string $email, string $password, Request $request, Response $response, Document $user, Database $dbForProject, Document $project, Locale $locale, Reader $geodb, Event $queueForEvents, Hooks $hooks) { - if (!$user->isEmpty()) { - throw new Exception(Exception::USER_SESSION_ALREADY_EXISTS); - } - $email = \strtolower($email); $protocol = $request->getProtocol(); @@ -1545,10 +1541,6 @@ App::post('/v1/account/tokens/email') }); $createSession = function (string $userId, string $secret, Request $request, Response $response, Document $user, Database $dbForProject, Document $project, Locale $locale, Reader $geodb, Event $queueForEvents) { - if (!$user->isEmpty()) { - throw new Exception(Exception::USER_SESSION_ALREADY_EXISTS); - } - $roles = Authorization::getRoles(); $isPrivilegedUser = Auth::isPrivilegedUser($roles); $isAppUser = Auth::isAppUser($roles); @@ -1658,7 +1650,7 @@ $createSession = function (string $userId, string $secret, Request $request, Res App::put('/v1/account/sessions/magic-url') ->desc('Update magic URL session') ->label('event', 'users.[userId].sessions.[sessionId].create') - ->groups(['api', 'account']) + ->groups(['api', 'account', 'session']) ->label('scope', 'sessions.write') ->label('audits.event', 'session.create') ->label('audits.resource', 'user/{response.userId}') @@ -1688,7 +1680,7 @@ App::put('/v1/account/sessions/magic-url') App::put('/v1/account/sessions/phone') ->desc('Update phone session') ->label('event', 'users.[userId].sessions.[sessionId].create') - ->groups(['api', 'account']) + ->groups(['api', 'account', 'session']) ->label('scope', 'sessions.write') ->label('audits.event', 'session.create') ->label('audits.resource', 'user/{response.userId}') @@ -1718,7 +1710,7 @@ App::put('/v1/account/sessions/phone') App::post('/v1/account/sessions/token') ->desc('Create session') ->label('event', 'users.[userId].sessions.[sessionId].create') - ->groups(['api', 'account']) + ->groups(['api', 'account', 'session']) ->label('scope', 'sessions.write') ->label('audits.event', 'session.create') ->label('audits.resource', 'user/{response.userId}') @@ -1941,10 +1933,6 @@ App::post('/v1/account/sessions/anonymous') ->inject('geodb') ->inject('queueForEvents') ->action(function (Request $request, Response $response, Locale $locale, Document $user, Document $project, Database $dbForProject, Reader $geodb, Event $queueForEvents) { - if (!$user->isEmpty()) { - throw new Exception(Exception::USER_SESSION_ALREADY_EXISTS); - } - $protocol = $request->getProtocol(); $roles = Authorization::getRoles(); $isPrivilegedUser = Auth::isPrivilegedUser($roles); diff --git a/app/controllers/shared/api.php b/app/controllers/shared/api.php index e75161d035..0101d72116 100644 --- a/app/controllers/shared/api.php +++ b/app/controllers/shared/api.php @@ -461,6 +461,20 @@ App::init() } }); +App::init() + ->groups(['session']) + ->inject('user') + ->inject('request') + ->action(function (Document $user, Request $request) { + if (\str_contains($request->getURI(), 'oauth2')) { + return; + } + + if (!$user->isEmpty()) { + throw new Exception(Exception::USER_SESSION_ALREADY_EXISTS); + } + }); + /** * Limit user session * @@ -497,6 +511,7 @@ App::shutdown() $session = array_shift($sessions); $dbForProject->deleteDocument('sessions', $session->getId()); } + $dbForProject->purgeCachedDocument('users', $userId); });