From 57d10bd9c186a01690e957a4aa342361d4d4c901 Mon Sep 17 00:00:00 2001 From: Rainnny7 Date: Thu, 19 Sep 2024 20:25:35 -0400 Subject: [PATCH] Don't logout the current session when setting up TFA --- .../cc/pulseapp/api/model/user/session/Session.java | 5 +++-- src/main/java/cc/pulseapp/api/service/UserService.java | 10 ++++++++-- 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/src/main/java/cc/pulseapp/api/model/user/session/Session.java b/src/main/java/cc/pulseapp/api/model/user/session/Session.java index 8a17ca4..b8d1097 100644 --- a/src/main/java/cc/pulseapp/api/model/user/session/Session.java +++ b/src/main/java/cc/pulseapp/api/model/user/session/Session.java @@ -3,6 +3,7 @@ package cc.pulseapp.api.model.user.session; import cc.pulseapp.api.model.user.User; import com.fasterxml.jackson.annotation.JsonIgnore; import lombok.AllArgsConstructor; +import lombok.EqualsAndHashCode; import lombok.Getter; import lombok.NonNull; import org.springframework.data.annotation.Id; @@ -14,13 +15,13 @@ import org.springframework.data.redis.core.index.Indexed; * * @author Braydon */ -@AllArgsConstructor @Getter +@AllArgsConstructor @Getter @EqualsAndHashCode(onlyExplicitlyIncluded = true) @RedisHash(value = "sessions", timeToLive = 30 * 24 * 60 * 60) // Expire in 30 days (days, hours, mins, secs) public final class Session { /** * The snowflake of this session. */ - @Id @JsonIgnore private final long snowflake; + @EqualsAndHashCode.Include @Id @JsonIgnore private final long snowflake; /** * The snowflake of the user this session is for. diff --git a/src/main/java/cc/pulseapp/api/service/UserService.java b/src/main/java/cc/pulseapp/api/service/UserService.java index 726e475..16c32c2 100644 --- a/src/main/java/cc/pulseapp/api/service/UserService.java +++ b/src/main/java/cc/pulseapp/api/service/UserService.java @@ -2,6 +2,7 @@ package cc.pulseapp.api.service; import cc.pulseapp.api.common.HashUtils; import cc.pulseapp.api.common.StringUtils; +import cc.pulseapp.api.common.Tuple; import cc.pulseapp.api.exception.impl.BadRequestException; import cc.pulseapp.api.model.IGenericResponse; import cc.pulseapp.api.model.org.Organization; @@ -13,6 +14,7 @@ import cc.pulseapp.api.model.user.input.CompleteOnboardingInput; import cc.pulseapp.api.model.user.input.EnableTFAInput; import cc.pulseapp.api.model.user.input.UserExistsInput; import cc.pulseapp.api.model.user.response.UserSetupTFAResponse; +import cc.pulseapp.api.model.user.session.Session; import cc.pulseapp.api.repository.SessionRepository; import cc.pulseapp.api.repository.UserRepository; import com.github.benmanes.caffeine.cache.Cache; @@ -181,7 +183,9 @@ public final class UserService { if (input == null || (!input.isValid())) { // Ensure the input was provided throw new BadRequestException(Error.MALFORMED_ENABLE_TFA_INPUT); } - User user = authService.getAuthenticatedUser(); + Tuple sessionAndUser = authService.getSessionAndUser(); + Session session = sessionAndUser.getLeft(); + User user = sessionAndUser.getRight(); if (user.hasFlag(UserFlag.TFA_ENABLED)) { // Ensure TFA isn't already on throw new BadRequestException(Error.TFA_ALREADY_ENABLED); } @@ -211,7 +215,9 @@ public final class UserService { userRepository.save(user); // And finally invalidate all of the sessions for the user - sessionRepository.deleteAll(sessionRepository.findAllByUserSnowflake(user.getSnowflake())); + List sessions = sessionRepository.findAllByUserSnowflake(user.getSnowflake()); + sessions.removeIf(activeSession -> activeSession.equals(session)); + sessionRepository.deleteAll(sessions); return originalBackupCodes; }