Stop storing client tokens in sessions (#3272)

2026-01-27 10:18:54 +00:00 · 2024-01-16 23:34:26 -06:00
parent dc57206027
commit 5569be4715
3 changed files with 20 additions and 7 deletions
--- a/elixir/apps/web/lib/web/auth.ex
+++ b/elixir/apps/web/lib/web/auth.ex
@@ -23,14 +23,17 @@ defmodule Web.Auth do

  # Session Management

-  def put_account_session(%Plug.Conn{} = conn, context_type, account_id, encoded_fragment)
-      when context_type in [:browser, :client] do
-    session = {context_type, account_id, encoded_fragment}
+  def put_account_session(%Plug.Conn{} = conn, :client, _account_id, _encoded_fragment) do
+    conn
+  end
+
+  def put_account_session(%Plug.Conn{} = conn, :browser, account_id, encoded_fragment) do
+    session = {:browser, account_id, encoded_fragment}

    sessions =
      Plug.Conn.get_session(conn, :sessions, [])
      |> Enum.reject(fn {session_context_type, session_account_id, _encoded_fragment} ->
-        session_context_type == context_type and session_account_id == account_id
+        session_context_type == :browser and session_account_id == account_id
      end)

    sessions = Enum.take(sessions ++ [session], -1 * @remember_last_sessions)
--- a/elixir/apps/web/test/web/acceptance/auth/email_test.exs
+++ b/elixir/apps/web/test/web/acceptance/auth/email_test.exs
@@ -112,6 +112,16 @@ defmodule Web.Acceptance.SignIn.EmailTest do
    |> email_login_flow(account, identity.provider_identifier, redirect_params)
    |> assert_el(Query.text("Client redirected"))
    |> assert_path(~p"/handle_client_sign_in_callback")
+
+    # The browser sessions stays active
+    session
+    |> visit(~p"/#{account}/sites")
+    |> assert_el(Query.css("#user-menu-button"))
+
+    # Browser is stored correctly
+    {:ok, cookie} = Auth.fetch_session_cookie(session)
+    assert [{:browser, account_id, _fragment}] = cookie["sessions"]
+    assert account_id == account.id
  end

  defp email_login_flow(session, account, email, redirect_params \\ %{}) do
--- a/elixir/apps/web/test/web/auth_test.exs
+++ b/elixir/apps/web/test/web/auth_test.exs
@@ -78,7 +78,7 @@ defmodule Web.AuthTest do
      assert get_session(conn, :sessions) == [{:browser, account.id, encoded_token}]
    end

-    test "persists a client token in session", %{
+    test "does not persist a client token in session", %{
      conn: conn,
      account: account,
      nonce: nonce,
@@ -86,7 +86,7 @@ defmodule Web.AuthTest do
    } do
      encoded_token = nonce <> encoded_fragment
      conn = put_account_session(conn, :client, account.id, encoded_token)
-      assert get_session(conn, "sessions") == [{:client, account.id, encoded_token}]
+      assert get_session(conn, "sessions", []) == []
    end

    test "updates an existing account_id session", %{
@@ -771,7 +771,7 @@ defmodule Web.AuthTest do
          | path_params: %{"account_id_or_slug" => account.slug},
            params: redirect_params
        }
-        |> put_account_session(context.type, account.id, encoded_fragment)
+        |> put_session(:sessions, [{context.type, account.id, encoded_fragment}])
        |> assign(:subject, client_subject)
        |> redirect_if_user_is_authenticated([])