MrSphay/Modrinth-plus
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: session refresh works as intended now (#5330)

Browse Source 
* fix: session refresh works as intended now

* use code-defined defaults for expires and session_expires

* fix sqlx

* database migration drop defaults

* run fmt

* remove comment in migration

Signed-off-by: Xander <xander@isxander.dev>

---------

Signed-off-by: Xander <xander@isxander.dev>
This commit is contained in:
Xander
2026-02-26 17:33:09 +00:00
committed by GitHub
parent 1ab722411a
commit 017f6a5afb
15 changed files with 129 additions and 113 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
apps/labrinth/src/routes/internal/admin.rs
View File

@@ -57,6 +57,7 @@ pub async fn count_download(
&**pool,
&redis,
&session_queue,
false,
)
.await
.ok()

14
apps/labrinth/src/routes/internal/flows.rs
View File

@@ -1079,6 +1079,7 @@ pub async fn init(
&**client,
&redis,
&session_queue,
false,
)
.await
.ok()
@@ -1114,6 +1115,7 @@ pub async fn init(
&**client,
&redis,
&session_queue,
false,
)
.await?
.ok_or_else(|| AuthenticationError::InvalidCredentials)?;
@@ -1308,7 +1310,8 @@ pub async fn auth_callback(
};
let session =
issue_session(req, user_id, &mut transaction, &redis).await?;
issue_session(req, user_id, &mut transaction, &redis, None)
.await?;
transaction.commit().await?;
let redirect_url = format!(
@@ -1533,7 +1536,8 @@ pub async fn create_account_with_password(
.insert(&mut transaction)
.await?;
let session = issue_session(req, user_id, &mut transaction, &redis).await?;
let session =
issue_session(req, user_id, &mut transaction, &redis, None).await?;
let res = crate::models::sessions::Session::from(session, true, None);
let mailbox: Mailbox = new_account.email.parse().map_err(|_| {
@@ -1627,7 +1631,7 @@ pub async fn login_password(
} else {
let mut transaction = pool.begin().await?;
let session =
issue_session(req, user.id, &mut transaction, &redis).await?;
issue_session(req, user.id, &mut transaction, &redis, None).await?;
let res = crate::models::sessions::Session::from(session, true, None);
transaction.commit().await?;
@@ -1757,7 +1761,7 @@ pub async fn login_2fa(
DBFlow::remove(&login.flow, &redis).await?;
let session =
issue_session(req, user_id, &mut transaction, &redis).await?;
issue_session(req, user_id, &mut transaction, &redis, None).await?;
let res = crate::models::sessions::Session::from(session, true, None);
transaction.commit().await?;
@@ -1945,6 +1949,7 @@ pub async fn remove_2fa(
&**pool,
&redis,
&session_queue,
false,
)
.await?
.ok_or_else(|| AuthenticationError::InvalidCredentials)?;
@@ -2150,6 +2155,7 @@ pub async fn change_password(
&**pool,
&redis,
&session_queue,
false,
)
.await?
.ok_or_else(|| AuthenticationError::InvalidCredentials)?;

45
apps/labrinth/src/routes/internal/session.rs
View File

@@ -1,3 +1,4 @@
use crate::auth::validate::get_user_from_bearer_token;
use crate::auth::{AuthenticationError, get_user_from_headers};
use crate::database::models::DBUserId;
use crate::database::models::session_item::DBSession;
@@ -12,7 +13,7 @@ use crate::routes::ApiError;
use actix_web::http::header::AUTHORIZATION;
use actix_web::web::{Data, ServiceConfig, scope};
use actix_web::{HttpRequest, HttpResponse, delete, get, post, web};
use chrono::Utc;
use chrono::{DateTime, Utc};
use rand::distributions::Alphanumeric;
use rand::{Rng, SeedableRng};
use rand_chacha::ChaCha20Rng;
@@ -88,6 +89,7 @@ pub async fn issue_session(
user_id: DBUserId,
transaction: &mut PgTransaction<'_>,
redis: &RedisPool,
session_expires: Option<DateTime<Utc>>,
) -> Result<DBSession, AuthenticationError> {
let metadata = get_session_metadata(&req).await?;
@@ -108,6 +110,8 @@ pub async fn issue_session(
country: metadata.country,
ip: metadata.ip,
user_agent: metadata.user_agent,
expires: None,
session_expires,
}
.insert(transaction)
.await?;
@@ -212,15 +216,6 @@ pub async fn refresh(
redis: Data<RedisPool>,
session_queue: Data<AuthQueue>,
) -> Result<HttpResponse, ApiError> {
let current_user = get_user_from_headers(
&req,
&**pool,
&redis,
&session_queue,
Scopes::empty(),
)
.await?
.1;
let session = req
.headers()
.get(AUTHORIZATION)
@@ -229,6 +224,25 @@ pub async fn refresh(
ApiError::Authentication(AuthenticationError::InvalidCredentials)
})?;
// We should ensure that the authorization given is a session token, and not some other type of token (like a PAT), since this endpoint is only for refreshing sessions.
// This is done by checking the prefix of the token, which should be "mra_" for session tokens.
if !session.starts_with("mra_") {
return Err(ApiError::Authentication(
AuthenticationError::InvalidCredentials,
));
}
let current_user = get_user_from_bearer_token(
&req,
Some(session),
&**pool,
&redis,
&session_queue,
true, // Allow expired sessions, since we want to allow refreshing expired sessions
)
.await?
.1;
let session = DBSession::get(session, &**pool, &redis).await?;
if let Some(session) = session {
@@ -243,9 +257,14 @@ pub async fn refresh(
let mut transaction = pool.begin().await?;
DBSession::remove(session.id, &mut transaction).await?;
let new_session =
issue_session(req, session.user_id, &mut transaction, &redis)
.await?;
let new_session = issue_session(
req,
session.user_id,
&mut transaction,
&redis,
Some(session.refresh_expires),
)
.await?;
transaction.commit().await?;
DBSession::clear_cache(
vec![(

1
apps/labrinth/src/routes/internal/statuses.rs
View File

@@ -58,6 +58,7 @@ pub async fn ws_init(
&**pool,
&redis,
&session_queue,
false,
)
.await?
.ok_or_else(|| {

2
apps/labrinth/src/routes/v3/payouts.rs
View File

@@ -440,6 +440,7 @@ pub async fn calculate_fees(
&**pool,
&redis,
&session_queue,
false,
)
.await?
.ok_or_else(|| {
@@ -472,6 +473,7 @@ pub async fn create_payout(
&**pool,
&redis,
&session_queue,
false,
)
.await?
.ok_or_else(|| {