From 430806301da06e927b8d7d6dcba20ea4b6b6d6c1 Mon Sep 17 00:00:00 2001
From: =Corey Hulen <corey@hulen.com>
Date: Thu, 1 Oct 2015 17:52:47 -0700
Subject: PLT-44 allow team switching without the need to login

---
 api/channel.go |  2 +-
 api/context.go | 24 +++++++++++++++++++-----
 api/user.go    | 39 +++++++++++++++++++++++++++++++++++++--
 3 files changed, 57 insertions(+), 8 deletions(-)

(limited to 'api')

diff --git a/api/channel.go b/api/channel.go
index 896e22793..28642ff67 100644
--- a/api/channel.go
+++ b/api/channel.go
@@ -282,7 +282,7 @@ func getChannels(c *Context, w http.ResponseWriter, r *http.Request) {
 			// lets make sure the user is valid
 			if result := <-Srv.Store.User().Get(c.Session.UserId); result.Err != nil {
 				c.Err = result.Err
-				c.RemoveSessionCookie(w)
+				c.RemoveSessionCookie(w, r)
 				l4g.Error("Error in getting users profile for id=%v forcing logout", c.Session.UserId)
 				return
 			}
diff --git a/api/context.go b/api/context.go
index 02c3dc902..e80582b2a 100644
--- a/api/context.go
+++ b/api/context.go
@@ -137,7 +137,7 @@ func (h handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		}
 
 		if session == nil || session.IsExpired() {
-			c.RemoveSessionCookie(w)
+			c.RemoveSessionCookie(w, r)
 			c.Err = model.NewAppError("ServeHTTP", "Invalid or expired session, please login again.", "token="+token)
 			c.Err.StatusCode = http.StatusUnauthorized
 		} else if !session.IsOAuth && isTokenFromQueryString {
@@ -303,7 +303,6 @@ func (c *Context) HasSystemAdminPermissions(where string) bool {
 }
 
 func (c *Context) IsSystemAdmin() bool {
-	// TODO XXX FIXME && IsPrivateIpAddress(c.IpAddress)
 	if model.IsInRole(c.Session.Roles, model.ROLE_SYSTEM_ADMIN) {
 		return true
 	}
@@ -317,7 +316,7 @@ func (c *Context) IsTeamAdmin() bool {
 	return false
 }
 
-func (c *Context) RemoveSessionCookie(w http.ResponseWriter) {
+func (c *Context) RemoveSessionCookie(w http.ResponseWriter, r *http.Request) {
 
 	sessionCache.Remove(c.Session.Token)
 
@@ -330,6 +329,21 @@ func (c *Context) RemoveSessionCookie(w http.ResponseWriter) {
 	}
 
 	http.SetCookie(w, cookie)
+
+	multiToken := ""
+	if oldMultiCookie, err := r.Cookie(model.MULTI_SESSION_TOKEN); err == nil {
+		multiToken = oldMultiCookie.Value
+	}
+
+	multiCookie := &http.Cookie{
+		Name:     model.MULTI_SESSION_TOKEN,
+		Value:    strings.TrimSpace(strings.Replace(multiToken, c.Session.Token, "", -1)),
+		Path:     "/",
+		MaxAge:   model.SESSION_TIME_WEB_IN_SECS,
+		HttpOnly: true,
+	}
+
+	http.SetCookie(w, multiCookie)
 }
 
 func (c *Context) SetInvalidParam(where string, name string) {
@@ -346,7 +360,7 @@ func (c *Context) setTeamURL(url string, valid bool) {
 	c.teamURLValid = valid
 }
 
-func (c *Context) setTeamURLFromSession() {
+func (c *Context) SetTeamURLFromSession() {
 	if result := <-Srv.Store.Team().Get(c.Session.TeamId); result.Err == nil {
 		c.setTeamURL(c.GetSiteURL()+"/"+result.Data.(*model.Team).Name, true)
 	}
@@ -362,7 +376,7 @@ func (c *Context) GetTeamURLFromTeam(team *model.Team) string {
 
 func (c *Context) GetTeamURL() string {
 	if !c.teamURLValid {
-		c.setTeamURLFromSession()
+		c.SetTeamURLFromSession()
 		if !c.teamURLValid {
 			l4g.Debug("TeamURL accessed when not valid. Team URL should not be used in api functions or those that are team independent")
 		}
diff --git a/api/user.go b/api/user.go
index ed3576a30..2d7dd9ab1 100644
--- a/api/user.go
+++ b/api/user.go
@@ -394,6 +394,41 @@ func Login(c *Context, w http.ResponseWriter, r *http.Request, user *model.User,
 
 	http.SetCookie(w, sessionCookie)
 
+	multiToken := ""
+	if originalMultiSessionCookie, err := r.Cookie(model.MULTI_SESSION_TOKEN); err == nil {
+		multiToken = originalMultiSessionCookie.Value
+	}
+
+	// Attempt to clean all the old tokens or duplicate tokens
+	if len(multiToken) > 0 {
+		tokens := strings.Split(multiToken, " ")
+
+		multiToken = ""
+		seen := make(map[string]string)
+		seen[session.TeamId] = session.TeamId
+		for _, token := range tokens {
+			if sr := <-Srv.Store.Session().Get(token); sr.Err == nil {
+				s := sr.Data.(*model.Session)
+				if !s.IsExpired() && seen[s.TeamId] == "" {
+					multiToken += " " + token
+					seen[s.TeamId] = s.TeamId
+				}
+			}
+		}
+	}
+
+	multiToken = strings.TrimSpace(session.Token + " " + multiToken)
+
+	multiSessionCookie := &http.Cookie{
+		Name:     model.MULTI_SESSION_TOKEN,
+		Value:    multiToken,
+		Path:     "/",
+		MaxAge:   maxAge,
+		HttpOnly: true,
+	}
+
+	http.SetCookie(w, multiSessionCookie)
+
 	c.Session = *session
 	c.LogAuditWithUserId(user.Id, "success")
 }
@@ -514,7 +549,7 @@ func logout(c *Context, w http.ResponseWriter, r *http.Request) {
 
 func Logout(c *Context, w http.ResponseWriter, r *http.Request) {
 	c.LogAudit("")
-	c.RemoveSessionCookie(w)
+	c.RemoveSessionCookie(w, r)
 	if result := <-Srv.Store.Session().Remove(c.Session.Id); result.Err != nil {
 		c.Err = result.Err
 		return
@@ -529,7 +564,7 @@ func getMe(c *Context, w http.ResponseWriter, r *http.Request) {
 
 	if result := <-Srv.Store.User().Get(c.Session.UserId); result.Err != nil {
 		c.Err = result.Err
-		c.RemoveSessionCookie(w)
+		c.RemoveSessionCookie(w, r)
 		l4g.Error("Error in getting users profile for id=%v forcing logout", c.Session.UserId)
 		return
 	} else if HandleEtag(result.Data.(*model.User).Etag(), w, r) {
-- 
cgit v1.2.3-1-g7c22