fix(session): Avoid two useless authtoken DB queries for every anonymous request

author Git'Fellow <12234510+solracsf@users.noreply.github.com>

Sat, 6 Jan 2024 08:03:59 +0000 (09:03 +0100)

committer Christoph Wurst <christoph@winzerhof-wurst.at>

Wed, 17 Jan 2024 08:17:23 +0000 (09:17 +0100)
author Git'Fellow <12234510+solracsf@users.noreply.github.com>
Sat, 6 Jan 2024 08:03:59 +0000 (09:03 +0100)
committer Christoph Wurst <christoph@winzerhof-wurst.at>
Wed, 17 Jan 2024 08:17:23 +0000 (09:17 +0100)
diff --git a/lib/private/User/Session.php b/lib/private/User/Session.php

index 02a7a7e9e16d73146aeff66db9f83b4244ee1344..772a4103490f8cc64c9d8e92ec687866882b86ea 100644 (file)
--- a/lib/private/User/Session.php
+++ b/lib/private/User/Session.php
@@ -842,13 +842,16 @@ class Session implements IUserSession, Emitter {
                 $authHeader = $request->getHeader('Authorization');
                 if (str_starts_with($authHeader, 'Bearer ')) {
                         $token = substr($authHeader, 7);
-               } else {
-                       // No auth header, let's try session id
+               } elseif ($request->getCookie($this->config->getSystemValueString('instanceid')) !== null) {
+                       // No auth header, let's try session id, but only if this is an existing
+                       // session and the request has a session cookie
                         try {
                                 $token = $this->session->getId();
                         } catch (SessionNotAvailableException $ex) {
                                 return false;
                         }
+               } else {
+                       return false;
                 }
  
                 if (!$this->loginWithToken($token)) {
diff --git a/tests/lib/User/SessionTest.php b/tests/lib/User/SessionTest.php

index 3b8d75f694c0593223301af22deecf782845cb69..50adda64afdddebf8b8d46f7a195a3ff1bc77b38 100644 (file)
--- a/tests/lib/User/SessionTest.php
+++ b/tests/lib/User/SessionTest.php
@@ -479,6 +479,56 @@ class SessionTest extends \Test\TestCase {
                 $userSession->logClientIn('john', 'doe', $request, $this->throttler);
         }
  
+       public function testTryTokenLoginNoHeaderNoSessionCookie(): void {
+               $request = $this->createMock(IRequest::class);
+               $this->config->expects(self::once())
+                       ->method('getSystemValueString')
+                       ->with('instanceid')
+                       ->willReturn('abc123');
+               $request->method('getHeader')->with('Authorization')->willReturn('');
+               $request->method('getCookie')->with('abc123')->willReturn(null);
+               $this->tokenProvider->expects(self::never())
+                       ->method('getToken');
+
+               $loginResult = $this->userSession->tryTokenLogin($request);
+
+               self::assertFalse($loginResult);
+       }
+
+       public function testTryTokenLoginAuthorizationHeaderTokenNotFound(): void {
+               $request = $this->createMock(IRequest::class);
+               $request->method('getHeader')->with('Authorization')->willReturn('Bearer abcde-12345');
+               $this->tokenProvider->expects(self::once())
+                       ->method('getToken')
+                       ->with('abcde-12345')
+                       ->willThrowException(new InvalidTokenException());
+
+               $loginResult = $this->userSession->tryTokenLogin($request);
+
+               self::assertFalse($loginResult);
+       }
+
+       public function testTryTokenLoginSessionIdTokenNotFound(): void {
+               $request = $this->createMock(IRequest::class);
+               $this->config->expects(self::once())
+                       ->method('getSystemValueString')
+                       ->with('instanceid')
+                       ->willReturn('abc123');
+               $request->method('getHeader')->with('Authorization')->willReturn('');
+               $request->method('getCookie')->with('abc123')->willReturn('abcde12345');
+               $this->session->expects(self::once())
+                       ->method('getId')
+                       ->willReturn('abcde12345');
+               $this->tokenProvider->expects(self::once())
+                       ->method('getToken')
+                       ->with('abcde12345')
+                       ->willThrowException(new InvalidTokenException());
+
+               $loginResult = $this->userSession->tryTokenLogin($request);
+
+               self::assertFalse($loginResult);
+       }
+
         public function testRememberLoginValidToken() {
                 $session = $this->getMockBuilder(Memory::class)->setConstructorArgs([''])->getMock();
                 $managerMethods = get_class_methods(Manager::class);
author	Git'Fellow <12234510+solracsf@users.noreply.github.com>
	Sat, 6 Jan 2024 08:03:59 +0000 (09:03 +0100)
committer	Christoph Wurst <christoph@winzerhof-wurst.at>
	Wed, 17 Jan 2024 08:17:23 +0000 (09:17 +0100)
lib/private/User/Session.php		patch \| blob \| history
tests/lib/User/SessionTest.php		patch \| blob \| history