fix: session refresh works as intended now#5330
fix: session refresh works as intended now#5330isXander wants to merge 3 commits intomodrinth:mainfrom
Conversation
IMB11
added
the
📂 Under review
|
Just confirmed locally that this fix does indeed work! |
aecsocket
left a comment
aecsocket
left a comment
There was a problem hiding this comment.
Keeping the defaults in the database makes sense to me, so I'm fine with the match expression. Code LGTM.
| .await?; | ||
| } | ||
| } | ||
|
|
There was a problem hiding this comment.
Would try to remove the UPDATE statements and create the session with just a single INSERT to avoid table bloat - can remove the database default & just define the default in code
There was a problem hiding this comment.
I'm getting mixed signals here!! @aecsocket said to leave the db defaults?
There was a problem hiding this comment.
Sorry for the confusion here - we discussed this in further detail, and came to the conclusion that the default shouldn't be specified in the DB, but in the code itself, since it's more important to combine the INSERT and UPDATE here.
My thought here is that SessionBuilder's insert and update operations should default to Utc::now() + (14 days) for expires, and + 60 days for refresh expires, like the DB already does, but in the Rust logic rather than in the DB. And that SessionBuilder will never omit inserting an expires or refresh_expires value - it will always be set to a value, or the default if not explicitly set.
There was a problem hiding this comment.
Should I add a database migration to remove the defaults from the table on the db-level as to not cause unexpected behaviour or hide bugs?
4 participants
Fixes #5324
What's fixed
/session/refreshfailed with expired sessions given, but the frontend only attempted to refresh after a failed fetch. The route fails because it attempts to get the current user from the auth token, but this fails because the session has expired.refresh_expiresDB column would be reset to 60 days, not retain the timestamp from the original session, making this functionality completely useless./session/refreshaccepted any authorization token, not justmra_session tokens, and would issue a new session.How's it fixed
struct SessionBuilderhas two new fields,expires: Option<DateTime<Utc>>andrefresh_expires.None, database defaults are usedget_user_record_from_bearer_tokento ignore session expiryget_user_from_bearer_tokenfunction that transformsDBUser->Userroutes/internal/session.rs/issue_sessionfunction now acceptsrefresh_expires: Option<DateTime<Utc>>as a new parameter, feeds it into theSessionBuildersession/refreshroute now feeds in the expired session'srefresh_expiressession/refreshroute from accepting Authorization tokens that are notmra_Questions to you
In an attempt to not duplicate the defaults set by the database table migration
(https://github.com/modrinth/code/blob/main/apps/labrinth/migrations/20230628180115_kill-ory.sql#L32-L33), a slightly over-complicated match expression was used to only insert those values when they are
Some.https://github.com/isXander/modrinth/blob/76c63148152b7591b7c93688175bed8e8da4b8aa/apps/labrinth/src/database/models/session_item.rs#L66-L111
If instead you do not mind some duplication, this would make this function significantly simpler.