From 90307ad2004a9a9ddda30af4038224fedf0e6ca3 Mon Sep 17 00:00:00 2001 From: Gusted Date: Wed, 27 Dec 2023 23:22:06 +0100 Subject: [PATCH] [GITEA] Fix session generation for database - If the session doesn't exist, it shouldn't be expected that the variable is non-nil. Define the session variable instead and insert that. - Add unit tests to test the behavior of the database sessions code . - Regression caused by dd30d9d5c0f577cb6e084aae6de2752ad43474d8. - Resolves https://codeberg.org/forgejo/forgejo/issues/2042 --- models/auth/session.go | 7 +- models/auth/session_test.go | 142 ++++++++++++++++++++++++++++++++++++ 2 files changed, 147 insertions(+), 2 deletions(-) create mode 100644 models/auth/session_test.go diff --git a/models/auth/session.go b/models/auth/session.go index 60fdeaba7c..41d59cea29 100644 --- a/models/auth/session.go +++ b/models/auth/session.go @@ -45,8 +45,11 @@ func ReadSession(ctx context.Context, key string) (*Session, error) { if err != nil { return nil, err } else if !exist { - session.Expiry = timeutil.TimeStampNow() - if err := db.Insert(ctx, &session); err != nil { + session = &Session{ + Key: key, + Expiry: timeutil.TimeStampNow(), + } + if err := db.Insert(ctx, session); err != nil { return nil, err } } diff --git a/models/auth/session_test.go b/models/auth/session_test.go new file mode 100644 index 0000000000..1731f40ccd --- /dev/null +++ b/models/auth/session_test.go @@ -0,0 +1,142 @@ +// Copyright 2023 The Forgejo Authors. All rights reserved. +// SPDX-License-Identifier: MIT + +package auth_test + +import ( + "testing" + "time" + + "code.gitea.io/gitea/models/auth" + "code.gitea.io/gitea/models/db" + "code.gitea.io/gitea/models/unittest" + "code.gitea.io/gitea/modules/timeutil" + + "github.com/stretchr/testify/assert" +) + +func TestAuthSession(t *testing.T) { + assert.NoError(t, unittest.PrepareTestDatabase()) + defer timeutil.Unset() + + key := "I-Like-Free-Software" + + t.Run("Create Session", func(t *testing.T) { + // Ensure it doesn't exist. + ok, err := auth.ExistSession(db.DefaultContext, key) + assert.NoError(t, err) + assert.False(t, ok) + + preCount, err := auth.CountSessions(db.DefaultContext) + assert.NoError(t, err) + + now := time.Date(2021, 1, 1, 0, 0, 0, 0, time.UTC) + timeutil.Set(now) + + // New session is created. + sess, err := auth.ReadSession(db.DefaultContext, key) + assert.NoError(t, err) + assert.EqualValues(t, key, sess.Key) + assert.Empty(t, sess.Data) + assert.EqualValues(t, now.Unix(), sess.Expiry) + + // Ensure it exists. + ok, err = auth.ExistSession(db.DefaultContext, key) + assert.NoError(t, err) + assert.True(t, ok) + + // Ensure the session is taken into account for count.. + postCount, err := auth.CountSessions(db.DefaultContext) + assert.NoError(t, err) + assert.Greater(t, postCount, preCount) + }) + + t.Run("Update session", func(t *testing.T) { + data := []byte{0xba, 0xdd, 0xc0, 0xde} + now := time.Date(2022, 1, 1, 0, 0, 0, 0, time.UTC) + timeutil.Set(now) + + // Update session. + err := auth.UpdateSession(db.DefaultContext, key, data) + assert.NoError(t, err) + + timeutil.Set(time.Date(2021, 1, 1, 0, 0, 0, 0, time.UTC)) + + // Read updated session. + // Ensure data is updated and expiry is set from the update session call. + sess, err := auth.ReadSession(db.DefaultContext, key) + assert.NoError(t, err) + assert.EqualValues(t, key, sess.Key) + assert.EqualValues(t, data, sess.Data) + assert.EqualValues(t, now.Unix(), sess.Expiry) + + timeutil.Set(now) + }) + + t.Run("Delete session", func(t *testing.T) { + // Ensure it't exist. + ok, err := auth.ExistSession(db.DefaultContext, key) + assert.NoError(t, err) + assert.True(t, ok) + + preCount, err := auth.CountSessions(db.DefaultContext) + assert.NoError(t, err) + + err = auth.DestroySession(db.DefaultContext, key) + assert.NoError(t, err) + + // Ensure it doens't exists. + ok, err = auth.ExistSession(db.DefaultContext, key) + assert.NoError(t, err) + assert.False(t, ok) + + // Ensure the session is taken into account for count.. + postCount, err := auth.CountSessions(db.DefaultContext) + assert.NoError(t, err) + assert.Less(t, postCount, preCount) + }) + + t.Run("Cleanup sessions", func(t *testing.T) { + timeutil.Set(time.Date(2023, 1, 1, 0, 0, 0, 0, time.UTC)) + + _, err := auth.ReadSession(db.DefaultContext, "sess-1") + assert.NoError(t, err) + + // One minute later. + timeutil.Set(time.Date(2023, 1, 1, 0, 1, 0, 0, time.UTC)) + _, err = auth.ReadSession(db.DefaultContext, "sess-2") + assert.NoError(t, err) + + // 5 minutes, shouldn't clean up anything. + err = auth.CleanupSessions(db.DefaultContext, 5*60) + assert.NoError(t, err) + + ok, err := auth.ExistSession(db.DefaultContext, "sess-1") + assert.NoError(t, err) + assert.True(t, ok) + + ok, err = auth.ExistSession(db.DefaultContext, "sess-2") + assert.NoError(t, err) + assert.True(t, ok) + + // 1 minute, should clean up sess-1. + err = auth.CleanupSessions(db.DefaultContext, 60) + assert.NoError(t, err) + + ok, err = auth.ExistSession(db.DefaultContext, "sess-1") + assert.NoError(t, err) + assert.False(t, ok) + + ok, err = auth.ExistSession(db.DefaultContext, "sess-2") + assert.NoError(t, err) + assert.True(t, ok) + + // Now, should clean up sess-2. + err = auth.CleanupSessions(db.DefaultContext, 0) + assert.NoError(t, err) + + ok, err = auth.ExistSession(db.DefaultContext, "sess-2") + assert.NoError(t, err) + assert.False(t, ok) + }) +}