feat(security): #328 delete old sessions forgot password [tbs]

2024-12-18 22:48:54 +01:00
parent 2b46a00a49
commit 588f915c86
8 changed files with 103 additions and 61 deletions
--- a/db/auth.go
+++ b/db/auth.go
@@ -100,8 +100,8 @@ type Auth interface {

 	InsertSession(session *Session) error
 	GetSession(sessionId string) (*Session, error)
+	GetSessions(userId uuid.UUID) ([]*Session, error)
 	DeleteSession(sessionId string) error
-	DeleteOtherSessions(userId uuid.UUID, sessionId string) error
 	DeleteOldSessions(userId uuid.UUID) error
 }

@@ -417,16 +417,33 @@ func (db AuthSqlite) GetSession(sessionId string) (*Session, error) {
 	return NewSession(sessionId, userId, createdAt, expiresAt), nil
 }

-func (db AuthSqlite) DeleteOtherSessions(userId uuid.UUID, sessionId string) error {
-	_, err := db.db.Exec(`
-		DELETE FROM session 
-		WHERE session_id != ?
-		  AND user_id = ?`, sessionId, userId)
+func (db AuthSqlite) GetSessions(userId uuid.UUID) ([]*Session, error) {
+
+	sessions, err := db.db.Query(`
+			SELECT session_id, created_at, expires_at
+			FROM session 
+			WHERE user_id = ?`, userId)
 	if err != nil {
-		log.Error("Could not delete other active sessions: %v", err)
-		return types.ErrInternal
+		log.Error("Could not get sessions: %v", err)
+		return nil, types.ErrInternal
 	}
-	return nil
+
+	var result []*Session
+
+	for sessions.Next() {
+		var (
+			sessionId string
+			createdAt time.Time
+			expiresAt time.Time
+		)
+
+		sessions.Scan(&sessionId, &createdAt, &expiresAt)
+
+		session := NewSession(sessionId, userId, createdAt, expiresAt)
+		result = append(result, session)
+	}
+
+	return result, nil
 }

 func (db AuthSqlite) DeleteOldSessions(userId uuid.UUID) error {