PLT-1557 revoking sessions from same device

2 files changed, 56 insertions, 7 deletions

diff --git a/api/user.go b/api/user.go
index 36a3fd5f9..42a65c934 100644
--- a/api/user.go
+++ b/api/user.go
@@ -497,6 +497,26 @@ func Login(c *Context, w http.ResponseWriter, r *http.Request, user *model.User,
 	if len(deviceId) > 0 {
 		session.SetExpireInDays(model.SESSION_TIME_MOBILE_IN_DAYS)
 		maxAge = model.SESSION_TIME_MOBILE_IN_SECS
+
+		// A special case where we logout of all other sessions with the same Id
+		if result := <-Srv.Store.Session().GetSessions(user.Id); result.Err != nil {
+			c.Err = result.Err
+			c.Err.StatusCode = http.StatusForbidden
+			return
+		} else {
+			sessions := result.Data.([]*model.Session)
+			for _, session := range sessions {
+				if session.DeviceId == deviceId {
+					l4g.Debug("Revoking sessionId=" + session.Id + " for userId=" + user.Id + " re-login with same device Id")
+					RevokeSessionById(c, session.Id)
+					if c.Err != nil {
+						c.LogError(c.Err)
+						c.Err = nil
+					}
+				}
+			}
+		}
+
 	} else {
 		session.SetExpireInDays(model.SESSION_TIME_WEB_IN_DAYS)
 	}
@@ -664,13 +684,15 @@ func loginLdap(c *Context, w http.ResponseWriter, r *http.Request) {
 func revokeSession(c *Context, w http.ResponseWriter, r *http.Request) {
 	props := model.MapFromJson(r.Body)
 	id := props["id"]
+	RevokeSessionById(c, id)
+	w.Write([]byte(model.MapToJson(props)))
+}
 
-	if result := <-Srv.Store.Session().Get(id); result.Err != nil {
+func RevokeSessionById(c *Context, sessionId string) {
+	if result := <-Srv.Store.Session().Get(sessionId); result.Err != nil {
 		c.Err = result.Err
-		return
 	} else {
 		session := result.Data.(*model.Session)
-
 		c.LogAudit("session_id=" + session.Id)
 
 		if session.IsOAuth {
@@ -680,10 +702,6 @@ func revokeSession(c *Context, w http.ResponseWriter, r *http.Request) {
 
 			if result := <-Srv.Store.Session().Remove(session.Id); result.Err != nil {
 				c.Err = result.Err
-				return
-			} else {
-				w.Write([]byte(model.MapToJson(props)))
-				return
 			}
 		}
 	}
diff --git a/api/user_test.go b/api/user_test.go
index ffa96cb66..9a172805a 100644
--- a/api/user_test.go
+++ b/api/user_test.go
@@ -162,6 +162,37 @@ func TestLogin(t *testing.T) {
 	Client.AuthToken = authToken
 }
 
+func TestLoginWithDeviceId(t *testing.T) {
+	Setup()
+
+	team := model.Team{DisplayName: "Name", Name: "z-z-" + model.NewId() + "a", Email: "test@nowhere.com", Type: model.TEAM_OPEN}
+	rteam, _ := Client.CreateTeam(&team)
+
+	user := model.User{TeamId: rteam.Data.(*model.Team).Id, Email: strings.ToLower(model.NewId()) + "corey+test@test.com", Nickname: "Corey Hulen", Password: "pwd"}
+	ruser := Client.Must(Client.CreateUser(&user, "")).Data.(*model.User)
+	store.Must(Srv.Store.User().VerifyEmail(ruser.Id))
+
+	deviceId := model.NewId()
+	if result, err := Client.LoginByEmailWithDevice(team.Name, user.Email, user.Password, deviceId); err != nil {
+		t.Fatal(err)
+	} else {
+		ruser := result.Data.(*model.User)
+
+		if ssresult, err := Client.GetSessions(ruser.Id); err != nil {
+			t.Fatal(err)
+		} else {
+			sessions := ssresult.Data.([]*model.Session)
+			if _, err := Client.LoginByEmailWithDevice(team.Name, user.Email, user.Password, deviceId); err != nil {
+				t.Fatal(err)
+			}
+
+			if sresult := <-Srv.Store.Session().Get(sessions[0].Id); sresult.Err == nil {
+				t.Fatal("session should have been removed")
+			}
+		}
+	}
+}
+
 func TestSessions(t *testing.T) {
 	Setup()