summaryrefslogtreecommitdiffstats
path: root/api
diff options
context:
space:
mode:
author=Corey Hulen <corey@hulen.com>2016-01-05 09:58:21 -0600
committer=Corey Hulen <corey@hulen.com>2016-01-05 09:58:21 -0600
commite432b66641b9f11e505a8497efaeea53ab4b6ce0 (patch)
tree2bb95803d6cf1c8650a5756b800d92dfc7870d5e /api
parenta35de266df1eb130572834ad31e3b8822284048c (diff)
downloadchat-e432b66641b9f11e505a8497efaeea53ab4b6ce0.tar.gz
chat-e432b66641b9f11e505a8497efaeea53ab4b6ce0.tar.bz2
chat-e432b66641b9f11e505a8497efaeea53ab4b6ce0.zip
PLT-1557 revoking sessions from same device
Diffstat (limited to 'api')
-rw-r--r--api/user.go32
-rw-r--r--api/user_test.go31
2 files changed, 56 insertions, 7 deletions
diff --git a/api/user.go b/api/user.go
index 36a3fd5f9..42a65c934 100644
--- a/api/user.go
+++ b/api/user.go
@@ -497,6 +497,26 @@ func Login(c *Context, w http.ResponseWriter, r *http.Request, user *model.User,
if len(deviceId) > 0 {
session.SetExpireInDays(model.SESSION_TIME_MOBILE_IN_DAYS)
maxAge = model.SESSION_TIME_MOBILE_IN_SECS
+
+ // A special case where we logout of all other sessions with the same Id
+ if result := <-Srv.Store.Session().GetSessions(user.Id); result.Err != nil {
+ c.Err = result.Err
+ c.Err.StatusCode = http.StatusForbidden
+ return
+ } else {
+ sessions := result.Data.([]*model.Session)
+ for _, session := range sessions {
+ if session.DeviceId == deviceId {
+ l4g.Debug("Revoking sessionId=" + session.Id + " for userId=" + user.Id + " re-login with same device Id")
+ RevokeSessionById(c, session.Id)
+ if c.Err != nil {
+ c.LogError(c.Err)
+ c.Err = nil
+ }
+ }
+ }
+ }
+
} else {
session.SetExpireInDays(model.SESSION_TIME_WEB_IN_DAYS)
}
@@ -664,13 +684,15 @@ func loginLdap(c *Context, w http.ResponseWriter, r *http.Request) {
func revokeSession(c *Context, w http.ResponseWriter, r *http.Request) {
props := model.MapFromJson(r.Body)
id := props["id"]
+ RevokeSessionById(c, id)
+ w.Write([]byte(model.MapToJson(props)))
+}
- if result := <-Srv.Store.Session().Get(id); result.Err != nil {
+func RevokeSessionById(c *Context, sessionId string) {
+ if result := <-Srv.Store.Session().Get(sessionId); result.Err != nil {
c.Err = result.Err
- return
} else {
session := result.Data.(*model.Session)
-
c.LogAudit("session_id=" + session.Id)
if session.IsOAuth {
@@ -680,10 +702,6 @@ func revokeSession(c *Context, w http.ResponseWriter, r *http.Request) {
if result := <-Srv.Store.Session().Remove(session.Id); result.Err != nil {
c.Err = result.Err
- return
- } else {
- w.Write([]byte(model.MapToJson(props)))
- return
}
}
}
diff --git a/api/user_test.go b/api/user_test.go
index ffa96cb66..9a172805a 100644
--- a/api/user_test.go
+++ b/api/user_test.go
@@ -162,6 +162,37 @@ func TestLogin(t *testing.T) {
Client.AuthToken = authToken
}
+func TestLoginWithDeviceId(t *testing.T) {
+ Setup()
+
+ team := model.Team{DisplayName: "Name", Name: "z-z-" + model.NewId() + "a", Email: "test@nowhere.com", Type: model.TEAM_OPEN}
+ rteam, _ := Client.CreateTeam(&team)
+
+ user := model.User{TeamId: rteam.Data.(*model.Team).Id, Email: strings.ToLower(model.NewId()) + "corey+test@test.com", Nickname: "Corey Hulen", Password: "pwd"}
+ ruser := Client.Must(Client.CreateUser(&user, "")).Data.(*model.User)
+ store.Must(Srv.Store.User().VerifyEmail(ruser.Id))
+
+ deviceId := model.NewId()
+ if result, err := Client.LoginByEmailWithDevice(team.Name, user.Email, user.Password, deviceId); err != nil {
+ t.Fatal(err)
+ } else {
+ ruser := result.Data.(*model.User)
+
+ if ssresult, err := Client.GetSessions(ruser.Id); err != nil {
+ t.Fatal(err)
+ } else {
+ sessions := ssresult.Data.([]*model.Session)
+ if _, err := Client.LoginByEmailWithDevice(team.Name, user.Email, user.Password, deviceId); err != nil {
+ t.Fatal(err)
+ }
+
+ if sresult := <-Srv.Store.Session().Get(sessions[0].Id); sresult.Err == nil {
+ t.Fatal("session should have been removed")
+ }
+ }
+ }
+}
+
func TestSessions(t *testing.T) {
Setup()