Sessions: Remove invalid session cookie if it's invalid/expired/missing (#59556)

only remove invalid session cookie if it's invalid/expired/missing
3 years ago · fee50be1bb
parent 10a83714c8
commit fee50be1bb
3 changed files with 29 additions and 8 deletions
--- a/pkg/models/usertoken/user_token.go
+++ b/pkg/models/usertoken/user_token.go
@ -1,12 +1,23 @@
 package usertoken
 import (
 	"errors"
 	"fmt"
 )
 var ErrInvalidSessionToken = errors.New("invalid session token")
 type TokenRevokedError struct {
 	UserID                int64
 	TokenID               int64
 	MaxConcurrentSessions int64
 }
-func (e *TokenRevokedError) Error() string { return "user token revoked" }
+func (e *TokenRevokedError) Error() string {
 	return fmt.Sprintf("%s: user token revoked", ErrInvalidSessionToken)
 }
 func (e *TokenRevokedError) Unwrap() error { return ErrInvalidSessionToken }
 // UserToken represents a user token
 type UserToken struct {
--- a/pkg/services/auth/auth.go
+++ b/pkg/services/auth/auth.go
@ -3,6 +3,7 @@ package auth
 import (
 	"context"
 	"errors"
 	"fmt"
 	"net"
 	"github.com/grafana/grafana/pkg/models/usertoken"
@ -18,10 +19,14 @@ const (
 // Typed errors
 var (
-	ErrUserTokenNotFound = errors.New("user token not found")
+	ErrUserTokenNotFound   = errors.New("user token not found")
 	ErrInvalidSessionToken = usertoken.ErrInvalidSessionToken
 )
-type TokenRevokedError = usertoken.TokenRevokedError
+type (
 	TokenRevokedError = usertoken.TokenRevokedError
 	UserToken         = usertoken.UserToken
 )
 // CreateTokenErr represents a token creation error; used in Enterprise
 type CreateTokenErr struct {
@ -42,9 +47,11 @@ type TokenExpiredError struct {
 	TokenID int64
 }
-func (e *TokenExpiredError) Error() string { return "user token expired" }
+func (e *TokenExpiredError) Unwrap() error { return ErrInvalidSessionToken }
-type UserToken = usertoken.UserToken
+func (e *TokenExpiredError) Error() string {
 	return fmt.Sprintf("%s: user token expired", ErrInvalidSessionToken)
 }
 type RevokeAuthTokenCmd struct {
 	AuthTokenId int64 `json:"authTokenId"`
--- a/pkg/services/contexthandler/contexthandler.go
+++ b/pkg/services/contexthandler/contexthandler.go
@ -429,9 +429,12 @@ func (h *ContextHandler) initContextWithToken(reqContext *models.ReqContext, org
 	token, err := h.AuthTokenService.LookupToken(ctx, rawToken)
 	if err != nil {
-		reqContext.Logger.Warn("Failed to look up user based on cookie", "error", err)
+		reqContext.Logger.Warn("failed to look up session from cookie", "error", err)
-		// Burn the cookie in case of failure
+		if errors.Is(err, auth.ErrUserTokenNotFound) || errors.Is(err, auth.ErrInvalidSessionToken) {
-		reqContext.Resp.Before(h.deleteInvalidCookieEndOfRequestFunc(reqContext))
+			// Burn the cookie in case of invalid, expired or missing token
 			reqContext.Resp.Before(h.deleteInvalidCookieEndOfRequestFunc(reqContext))
 		}
 		reqContext.LookupTokenErr = err
 		return false