Implement user sessions endpoints for APIv4 (#5449)

* added get session and revoke session endpoints, unittests and drivers * removed BasicUser2 and added teardown * added badrequest unit test case for sessions * added session loop to check if user id and session user id matches * fixed indentation issues for user_test * match indentation from spaces to tabs
author: Ruzette Tanyag <ruzette@users.noreply.github.com> 2017-02-17 10:31:01 -0500
committer: Joram Wilander <jwawilander@gmail.com> 2017-02-17 10:31:01 -0500
commit: 4e7dbc3bb0e93bafa684594b19c5648dc030ee17 (patch)
tree: 618d2b57861650c52ed4a74ddd7730b944991a11
parent: 2f96814a8bca991a2acba3b66c38c22cfddef769 (diff)
download: chat-4e7dbc3bb0e93bafa684594b19c5648dc030ee17.tar.gz
chat-4e7dbc3bb0e93bafa684594b19c5648dc030ee17.tar.bz2
chat-4e7dbc3bb0e93bafa684594b19c5648dc030ee17.zip
4 files changed, 173 insertions, 0 deletions
diff --git a/api4/user.go b/api4/user.go
index e394b9661..5337cedf0 100644
--- a/api4/user.go
+++ b/api4/user.go
@@ -34,6 +34,9 @@ func InitUser() {
 	BaseRoutes.UserByUsername.Handle("", ApiSessionRequired(getUserByUsername)).Methods("GET")
 	BaseRoutes.UserByEmail.Handle("", ApiSessionRequired(getUserByEmail)).Methods("GET")
 
+	BaseRoutes.User.Handle("/sessions", ApiSessionRequired(getSessions)).Methods("GET")
+	BaseRoutes.User.Handle("/sessions/revoke", ApiSessionRequired(revokeSession)).Methods("POST")
+
 }
 
 func createUser(c *Context, w http.ResponseWriter, r *http.Request) {
@@ -476,3 +479,53 @@ func Logout(c *Context, w http.ResponseWriter, r *http.Request) {
 
 	ReturnStatusOK(w)
 }
+
+func getSessions(c *Context, w http.ResponseWriter, r *http.Request) {
+    c.RequireUserId()
+    if c.Err != nil {
+        return
+    }
+
+    if !app.SessionHasPermissionToUser(c.Session, c.Params.UserId) {
+        c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS)
+        return
+    }
+
+    if sessions, err := app.GetSessions(c.Params.UserId); err != nil {
+        c.Err = err
+        return
+    } else {
+        for _, session := range sessions {
+            session.Sanitize()
+        }
+
+        w.Write([]byte(model.SessionsToJson(sessions)))
+        return
+    }
+}
+
+func revokeSession(c *Context, w http.ResponseWriter, r *http.Request) {
+    c.RequireUserId()
+    if c.Err != nil {
+        return
+    }
+
+    if !app.SessionHasPermissionToUser(c.Session, c.Params.UserId) {
+        c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS)
+        return
+    }
+
+    props := model.MapFromJson(r.Body)
+    sessionId := props["session_id"]
+
+    if sessionId == "" {
+        c.SetInvalidParam("session_id")
+    }
+
+    if err := app.RevokeSessionById(sessionId); err != nil {
+        c.Err = err
+        return
+    }
+
+    ReturnStatusOK(w)
+}
+\ No newline at end of file
diff --git a/api4/user_test.go b/api4/user_test.go
index 771a53cbe..5fe497d90 100644
--- a/api4/user_test.go
+++ b/api4/user_test.go
@@ -802,3 +802,100 @@ func TestResetPassword(t *testing.T) {
 	_, resp = Client.SendPasswordResetEmail(user.Email)
 	CheckBadRequestStatus(t, resp)
 }
+
+func TestGetSessions(t *testing.T) {
+	th := Setup().InitBasic().InitSystemAdmin()
+	defer TearDown()
+	Client := th.Client
+
+	user := th.BasicUser
+
+	Client.Login(user.Email, user.Password)
+	
+	sessions, resp := Client.GetSessions(user.Id, "")
+	for _, session := range sessions {
+		if session.UserId != user.Id {
+			t.Fatal("user id does not match session user id")
+		}
+	}
+	CheckNoError(t, resp)
+
+	_, resp = Client.RevokeSession("junk", model.NewId())
+	CheckBadRequestStatus(t, resp)
+
+	_, resp = Client.GetSessions(th.BasicUser2.Id, "")
+	CheckForbiddenStatus(t, resp)
+
+	_, resp = Client.GetSessions(model.NewId(), "")
+	CheckForbiddenStatus(t, resp)
+
+	Client.Logout()
+	_, resp = Client.GetSessions(th.BasicUser2.Id, "")
+	CheckUnauthorizedStatus(t, resp)
+
+	_, resp = th.SystemAdminClient.GetSessions(user.Id, "")
+	CheckNoError(t, resp)
+
+	_, resp = th.SystemAdminClient.GetSessions(th.BasicUser2.Id, "")
+	CheckNoError(t, resp)
+
+	_, resp = th.SystemAdminClient.GetSessions(model.NewId(), "")
+	CheckNoError(t, resp)
+
+}
+
+func TestRevokeSessions(t *testing.T) {
+	th := Setup().InitBasic().InitSystemAdmin()
+	defer TearDown()
+	Client := th.Client
+
+	user := th.BasicUser
+	Client.Login(user.Email, user.Password)
+	sessions, _ := Client.GetSessions(user.Id, "")
+	if len(sessions) == 0 {
+		t.Fatal("sessions should exist")
+	}
+	for _, session := range sessions {
+		if session.UserId != user.Id {
+			t.Fatal("user id does not match session user id")
+		}
+	}
+	session := sessions[0]
+
+	_, resp := Client.RevokeSession(user.Id, model.NewId())
+	CheckBadRequestStatus(t, resp)
+
+	_, resp = Client.RevokeSession(th.BasicUser2.Id, model.NewId())
+	CheckForbiddenStatus(t, resp)
+
+	_, resp = Client.RevokeSession("junk", model.NewId())
+	CheckBadRequestStatus(t, resp)
+
+	status, resp := Client.RevokeSession(user.Id, session.Id)
+	if status == false {
+		t.Fatal("user session revoke unsuccessful")
+	}
+	CheckNoError(t, resp)
+
+	Client.Logout()
+	_, resp = Client.RevokeSession(user.Id, model.NewId())
+	CheckUnauthorizedStatus(t, resp)
+
+	_, resp = th.SystemAdminClient.RevokeSession(user.Id, model.NewId())
+	CheckBadRequestStatus(t, resp)
+
+	sessions, _ = th.SystemAdminClient.GetSessions(th.SystemAdminUser.Id, "")
+	if len(sessions) == 0 {
+		t.Fatal("sessions should exist")
+	}
+	for _, session := range sessions {
+		if session.UserId != th.SystemAdminUser.Id {
+			t.Fatal("user id does not match session user id")
+		}
+	}
+	session = sessions[0]
+
+	_, resp = th.SystemAdminClient.RevokeSession(th.SystemAdminUser.Id, session.Id)
+	CheckNoError(t, resp)
+
+}
diff --git a/app/session.go b/app/session.go
index 83e5f343a..2207ed869 100644
--- a/app/session.go
+++ b/app/session.go
@@ -4,6 +4,7 @@
 package app
 
 import (
+	"net/http"
 	"github.com/mattermost/platform/einterfaces"
 	"github.com/mattermost/platform/model"
 	"github.com/mattermost/platform/utils"
@@ -148,6 +149,7 @@ func RevokeSessionsForDeviceId(userId string, deviceId string, currentSessionId
 
 func RevokeSessionById(sessionId string) *model.AppError {
 	if result := <-Srv.Store.Session().Get(sessionId); result.Err != nil {
+		result.Err.StatusCode = http.StatusBadRequest
 		return result.Err
 	} else {
 		return RevokeSession(result.Data.(*model.Session))
diff --git a/model/client4.go b/model/client4.go
index ec91460fd..2534203c2 100644
--- a/model/client4.go
+++ b/model/client4.go
@@ -403,6 +403,27 @@ func (c *Client4) ResetPassword(code, newPassword string) (bool, *Response) {
 	}
 }
 
+// GetSessions returns a list of sessions based on the provided user id string.
+func (c *Client4) GetSessions(userId, etag string) ([]*Session, *Response) {
+	if r, err := c.DoApiGet(c.GetUserRoute(userId)+"/sessions", etag); err != nil {
+		return nil, &Response{StatusCode: r.StatusCode, Error: err}
+	} else {
+		defer closeBody(r)
+		return SessionsFromJson(r.Body), BuildResponse(r)
+	}
+}
+
+// RevokeSession revokes a user session based on the provided user id and session id strings.
+func (c *Client4) RevokeSession(userId, sessionId string) (bool, *Response) {
+	requestBody := map[string]string{"session_id": sessionId}
+	if r, err := c.DoApiPost(c.GetUserRoute(userId)+"/sessions/revoke", MapToJson(requestBody)); err != nil {
+		return false, &Response{StatusCode: r.StatusCode, Error: err}
+	} else {
+		defer closeBody(r)
+		return CheckStatusOK(r), BuildResponse(r)
+	}
+}
+
 // Team Section
 
 // CreateTeam creates a team in the system based on the provided team struct.
author	Ruzette Tanyag <ruzette@users.noreply.github.com>	2017-02-17 10:31:01 -0500
committer	Joram Wilander <jwawilander@gmail.com>	2017-02-17 10:31:01 -0500
commit	4e7dbc3bb0e93bafa684594b19c5648dc030ee17 (patch)
tree	618d2b57861650c52ed4a74ddd7730b944991a11
parent	2f96814a8bca991a2acba3b66c38c22cfddef769 (diff)
download	chat-4e7dbc3bb0e93bafa684594b19c5648dc030ee17.tar.gz chat-4e7dbc3bb0e93bafa684594b19c5648dc030ee17.tar.bz2 chat-4e7dbc3bb0e93bafa684594b19c5648dc030ee17.zip