From fee50be1bb27ef64932980c08ece1037830c65b3 Mon Sep 17 00:00:00 2001
From: Jo <joao.guerreiro@grafana.com>
Date: Wed, 30 Nov 2022 14:33:19 +0000
Subject: [PATCH] Sessions: Remove invalid session cookie if it's
 invalid/expired/missing (#59556)

only remove invalid session cookie if it's invalid/expired/missing
---
 pkg/models/usertoken/user_token.go            | 13 ++++++++++++-
 pkg/services/auth/auth.go                     | 15 +++++++++++----
 pkg/services/contexthandler/contexthandler.go |  9 ++++++---
 3 files changed, 29 insertions(+), 8 deletions(-)

diff --git a/pkg/models/usertoken/user_token.go b/pkg/models/usertoken/user_token.go
index beb2ac1355f..9b350f300b7 100644
--- a/pkg/models/usertoken/user_token.go
+++ b/pkg/models/usertoken/user_token.go
@@ -1,12 +1,23 @@
 package usertoken
 
+import (
+	"errors"
+	"fmt"
+)
+
+var ErrInvalidSessionToken = errors.New("invalid session token")
+
 type TokenRevokedError struct {
 	UserID                int64
 	TokenID               int64
 	MaxConcurrentSessions int64
 }
 
-func (e *TokenRevokedError) Error() string { return "user token revoked" }
+func (e *TokenRevokedError) Error() string {
+	return fmt.Sprintf("%s: user token revoked", ErrInvalidSessionToken)
+}
+
+func (e *TokenRevokedError) Unwrap() error { return ErrInvalidSessionToken }
 
 // UserToken represents a user token
 type UserToken struct {
diff --git a/pkg/services/auth/auth.go b/pkg/services/auth/auth.go
index 28d17307047..3d1f381ea80 100644
--- a/pkg/services/auth/auth.go
+++ b/pkg/services/auth/auth.go
@@ -3,6 +3,7 @@ package auth
 import (
 	"context"
 	"errors"
+	"fmt"
 	"net"
 
 	"github.com/grafana/grafana/pkg/models/usertoken"
@@ -18,10 +19,14 @@ const (
 
 // Typed errors
 var (
-	ErrUserTokenNotFound = errors.New("user token not found")
+	ErrUserTokenNotFound   = errors.New("user token not found")
+	ErrInvalidSessionToken = usertoken.ErrInvalidSessionToken
 )
 
-type TokenRevokedError = usertoken.TokenRevokedError
+type (
+	TokenRevokedError = usertoken.TokenRevokedError
+	UserToken         = usertoken.UserToken
+)
 
 // CreateTokenErr represents a token creation error; used in Enterprise
 type CreateTokenErr struct {
@@ -42,9 +47,11 @@ type TokenExpiredError struct {
 	TokenID int64
 }
 
-func (e *TokenExpiredError) Error() string { return "user token expired" }
+func (e *TokenExpiredError) Unwrap() error { return ErrInvalidSessionToken }
 
-type UserToken = usertoken.UserToken
+func (e *TokenExpiredError) Error() string {
+	return fmt.Sprintf("%s: user token expired", ErrInvalidSessionToken)
+}
 
 type RevokeAuthTokenCmd struct {
 	AuthTokenId int64 `json:"authTokenId"`
diff --git a/pkg/services/contexthandler/contexthandler.go b/pkg/services/contexthandler/contexthandler.go
index f09015707d3..0b2c3de850e 100644
--- a/pkg/services/contexthandler/contexthandler.go
+++ b/pkg/services/contexthandler/contexthandler.go
@@ -429,9 +429,12 @@ func (h *ContextHandler) initContextWithToken(reqContext *models.ReqContext, org
 
 	token, err := h.AuthTokenService.LookupToken(ctx, rawToken)
 	if err != nil {
-		reqContext.Logger.Warn("Failed to look up user based on cookie", "error", err)
-		// Burn the cookie in case of failure
-		reqContext.Resp.Before(h.deleteInvalidCookieEndOfRequestFunc(reqContext))
+		reqContext.Logger.Warn("failed to look up session from cookie", "error", err)
+		if errors.Is(err, auth.ErrUserTokenNotFound) || errors.Is(err, auth.ErrInvalidSessionToken) {
+			// Burn the cookie in case of invalid, expired or missing token
+			reqContext.Resp.Before(h.deleteInvalidCookieEndOfRequestFunc(reqContext))
+		}
+
 		reqContext.LookupTokenErr = err
 
 		return false