Sessions: Remove invalid session cookie if it's invalid/expired/missing (#59556)

only remove invalid session cookie if it's invalid/expired/missing
2025-02-25 18:55:37 -06:00 · 2022-11-30 14:33:19 +00:00 · 2022-11-30 14:33:19 +00:00 · fee50be1bb
commit fee50be1bb
parent 10a83714c8
3 changed files with 29 additions and 8 deletions
--- a/pkg/models/usertoken/user_token.go
+++ b/pkg/models/usertoken/user_token.go
@ -1,12 +1,23 @@
 package usertoken

+import (
+	"errors"
+	"fmt"
+)
+
+var ErrInvalidSessionToken = errors.New("invalid session token")
+
 type TokenRevokedError struct {
 	UserID                int64
 	TokenID               int64
 	MaxConcurrentSessions int64
 }

-func (e *TokenRevokedError) Error() string { return "user token revoked" }
+func (e *TokenRevokedError) Error() string {
+	return fmt.Sprintf("%s: user token revoked", ErrInvalidSessionToken)
+}
+
+func (e *TokenRevokedError) Unwrap() error { return ErrInvalidSessionToken }

 // UserToken represents a user token
 type UserToken struct {
--- a/pkg/services/auth/auth.go
+++ b/pkg/services/auth/auth.go
@ -3,6 +3,7 @@ package auth
 import (
 	"context"
 	"errors"
+	"fmt"
 	"net"

 	"github.com/grafana/grafana/pkg/models/usertoken"
@ -19,9 +20,13 @@ const (
 // Typed errors
 var (
 	ErrUserTokenNotFound   = errors.New("user token not found")
+	ErrInvalidSessionToken = usertoken.ErrInvalidSessionToken
 )

-type TokenRevokedError = usertoken.TokenRevokedError
+type (
+	TokenRevokedError = usertoken.TokenRevokedError
+	UserToken         = usertoken.UserToken
+)

 // CreateTokenErr represents a token creation error; used in Enterprise
 type CreateTokenErr struct {
@ -42,9 +47,11 @@ type TokenExpiredError struct {
 	TokenID int64
 }

-func (e *TokenExpiredError) Error() string { return "user token expired" }
+func (e *TokenExpiredError) Unwrap() error { return ErrInvalidSessionToken }

-type UserToken = usertoken.UserToken
+func (e *TokenExpiredError) Error() string {
+	return fmt.Sprintf("%s: user token expired", ErrInvalidSessionToken)
+}

 type RevokeAuthTokenCmd struct {
 	AuthTokenId int64 `json:"authTokenId"`
--- a/pkg/services/contexthandler/contexthandler.go
+++ b/pkg/services/contexthandler/contexthandler.go
@ -429,9 +429,12 @@ func (h *ContextHandler) initContextWithToken(reqContext *models.ReqContext, org

 	token, err := h.AuthTokenService.LookupToken(ctx, rawToken)
 	if err != nil {
-		reqContext.Logger.Warn("Failed to look up user based on cookie", "error", err)
-		// Burn the cookie in case of failure
+		reqContext.Logger.Warn("failed to look up session from cookie", "error", err)
+		if errors.Is(err, auth.ErrUserTokenNotFound) || errors.Is(err, auth.ErrInvalidSessionToken) {
+			// Burn the cookie in case of invalid, expired or missing token
 			reqContext.Resp.Before(h.deleteInvalidCookieEndOfRequestFunc(reqContext))
+		}
+
 		reqContext.LookupTokenErr = err

 		return false