fix: session refresh works as intended now (#5330)

* fix: session refresh works as intended now * use code-defined defaults for expires and session_expires * fix sqlx * database migration drop defaults * run fmt * remove comment in migration Signed-off-by: Xander <xander@isxander.dev> --------- Signed-off-by: Xander <xander@isxander.dev>
2026-02-26 17:33:09 +00:00
parent 1ab722411a
commit 017f6a5afb
15 changed files with 129 additions and 113 deletions
--- a/apps/labrinth/src/auth/validate.rs
+++ b/apps/labrinth/src/auth/validate.rs
@@ -32,6 +32,7 @@ where
        executor,
        redis,
        session_queue,
+        false,
    )
    .await?
    else {
@@ -61,6 +62,7 @@ where
        executor,
        redis,
        session_queue,
+        false,
    )
    .await?
    .ok_or_else(|| AuthenticationError::InvalidCredentials)?;
@@ -95,12 +97,38 @@ where
    Ok((scopes, User::from_full(db_user)))
 }

+pub async fn get_user_from_bearer_token<'a, E>(
+    req: &HttpRequest,
+    token: Option<&str>,
+    executor: E,
+    redis: &RedisPool,
+    session_queue: &AuthQueue,
+    allow_expired: bool,
+) -> Result<(Scopes, User), AuthenticationError>
+where
+    E: crate::database::Executor<'a, Database = sqlx::Postgres> + Copy,
+{
+    let (scopes, db_user) = get_user_record_from_bearer_token(
+        req,
+        token,
+        executor,
+        redis,
+        session_queue,
+        allow_expired,
+    )
+    .await?
+    .ok_or_else(|| AuthenticationError::InvalidCredentials)?;
+
+    Ok((scopes, User::from_full(db_user)))
+}
+
 pub async fn get_user_record_from_bearer_token<'a, 'b, E>(
    req: &HttpRequest,
    token: Option<&str>,
    executor: E,
    redis: &RedisPool,
    session_queue: &AuthQueue,
+    allow_expired: bool,
 ) -> Result<Option<(Scopes, user_item::DBUser)>, AuthenticationError>
 where
    E: crate::database::Executor<'a, Database = sqlx::Postgres> + Copy,
@@ -120,7 +148,7 @@ where
                .await?
                .ok_or_else(|| AuthenticationError::InvalidCredentials)?;

-            if pat.expires < Utc::now() {
+            if !allow_expired && pat.expires < Utc::now() {
                return Err(AuthenticationError::InvalidCredentials);
            }

@@ -139,7 +167,7 @@ where
                .await?
                .ok_or_else(|| AuthenticationError::InvalidCredentials)?;

-            if session.expires < Utc::now() {
+            if !allow_expired && session.expires < Utc::now() {
                return Err(AuthenticationError::InvalidCredentials);
            }

@@ -169,7 +197,7 @@ where
                    .await?
                    .ok_or(AuthenticationError::InvalidCredentials)?;

-            if access_token.expires < Utc::now() {
+            if !allow_expired && access_token.expires < Utc::now() {
                return Err(AuthenticationError::InvalidCredentials);
            }