Test/test for session timeout bug

[PedroAugustoRamalhoDuarte]

Hello @jankoegel,

I haven't been able to determine whether the issue with the test or the code. However, with remember_me module enabled after session timeout test is failing.

I believe this may be due to line 72 in the lib/sorcery/controller.rb file within the logout method. In the logged_in function, we call logout, and because of this, we are unable to reach the before_logout hook.

Let me know if you need further clarification or assistance.

[jankoegel]

Thanks for preparing this.
I had trouble running the Sorcery specs as well.

When I run the specs of this PR with Ruby 3.2.2 I get 20 failures [1] in total. The most relevant ones for us are:

rspec ./spec/controllers/controller_session_timeout_spec.rb:132 # SorceryController with session timeout features with 'session_timeout_from_last_action' does not logout if there was activity
rspec ./spec/controllers/controller_session_timeout_spec.rb:194 # SorceryController with session timeout features with remember_me module enable after session timeout resets session and remember_me

Is 132 also failing for you or only 194?

194's error for me is:

Failure/Error: expect(cookies['remember_me_token']).to be_nil

       expected: nil
            got: "BAh..."

Which is weird because I also test resetting og the remember_me_token after invalidation in my app's specs and there it correctly gets reset to "".

---

[1]

479 examples, 20 failures, 2 pending

Failed examples:

rspec ./spec/controllers/controller_oauth2_spec.rb:31 # SorceryController using create_from creates a new user
rspec ./spec/controllers/controller_oauth2_spec.rb:39 # SorceryController using create_from supports nested attributes
rspec ./spec/controllers/controller_oauth2_spec.rb:47 # SorceryController using create_from does not crash on missing nested attributes
rspec ./spec/controllers/controller_oauth2_spec.rb:57 # SorceryController using create_from with a block does not create user
rspec './spec/controllers/controller_oauth2_spec.rb[1:5:1:2]' # SorceryController OAuth with session timeout features when facebook resets session after session timeout
rspec './spec/controllers/controller_oauth2_spec.rb[1:5:2:2]' # SorceryController OAuth with session timeout features when github resets session after session timeout
rspec './spec/controllers/controller_oauth2_spec.rb[1:5:3:2]' # SorceryController OAuth with session timeout features when google resets session after session timeout
rspec './spec/controllers/controller_oauth2_spec.rb[1:5:4:2]' # SorceryController OAuth with session timeout features when liveid resets session after session timeout
rspec './spec/controllers/controller_oauth2_spec.rb[1:5:5:2]' # SorceryController OAuth with session timeout features when vk resets session after session timeout
rspec './spec/controllers/controller_oauth2_spec.rb[1:5:6:2]' # SorceryController OAuth with session timeout features when salesforce resets session after session timeout
rspec './spec/controllers/controller_oauth2_spec.rb[1:5:7:2]' # SorceryController OAuth with session timeout features when slack resets session after session timeout
rspec './spec/controllers/controller_oauth2_spec.rb[1:5:8:2]' # SorceryController OAuth with session timeout features when discord resets session after session timeout
rspec './spec/controllers/controller_oauth2_spec.rb[1:5:9:2]' # SorceryController OAuth with session timeout features when battlenet resets session after session timeout
rspec ./spec/controllers/controller_oauth_spec.rb:136 # SorceryController  using 'create_from' creates a new user
rspec ./spec/controllers/controller_oauth_spec.rb:144 # SorceryController  using 'create_from' supports nested attributes
rspec ./spec/controllers/controller_oauth_spec.rb:152 # SorceryController  using 'create_from' does not crash on missing nested attributes
rspec ./spec/controllers/controller_oauth_spec.rb:172 # SorceryController  using 'create_from' with a block does not create user
rspec ./spec/controllers/controller_session_timeout_spec.rb:132 # SorceryController with session timeout features with 'session_timeout_from_last_action' does not logout if there was activity
rspec ./spec/controllers/controller_session_timeout_spec.rb:194 # SorceryController with session timeout features with remember_me module enable after session timeout resets session and remember_me
rspec ./spec/controllers/controller_spec.rb:67 # SorceryController when activated with sorcery #login when succeeds sets csrf token in session

[jankoegel]

re:
https://github.com/Sorcery/sorcery/blob/d9dc0bd80a3d5689398baea4489b14ed78e6c42d/lib/sorcery/controller.rb#L72

What do you mean by:

In the logged_in function, we call logout, and because of this, we are unable to reach the before_logout hook.

Do you mean the logged_in? function?

[PedroAugustoRamalhoDuarte]

re: https://github.com/Sorcery/sorcery/blob/d9dc0bd80a3d5689398baea4489b14ed78e6c42d/lib/sorcery/controller.rb#L72

What do you mean by:

In the logged_in function, we call logout, and because of this, we are unable to reach the before_logout hook.

Do you mean the logged_in? function?

Yes, now we logout inside validate_session inside logged_in? só will return false then would not call before_logout.

[PedroAugustoRamalhoDuarte]

The others test are failling due to upgrade from rspec-rails: Sorcery#358 (comment)

I can fixes then later too

[PedroAugustoRamalhoDuarte]

Thanks for preparing this. I had trouble running the Sorcery specs as well.

When I run the specs of this PR with Ruby 3.2.2 I get 20 failures [1] in total. The most relevant ones for us are:

rspec ./spec/controllers/controller_session_timeout_spec.rb:132 # SorceryController with session timeout features with 'session_timeout_from_last_action' does not logout if there was activity
rspec ./spec/controllers/controller_session_timeout_spec.rb:194 # SorceryController with session timeout features with remember_me module enable after session timeout resets session and remember_me

Is 132 also failing for you or only 194?

194's error for me is:

Failure/Error: expect(cookies['remember_me_token']).to be_nil

       expected: nil
            got: "BAh..."

Which is weird because I also test resetting og the remember_me_token after invalidation in my app's specs and there it correctly gets reset to "".

[1]

479 examples, 20 failures, 2 pending

Failed examples:

rspec ./spec/controllers/controller_oauth2_spec.rb:31 # SorceryController using create_from creates a new user
rspec ./spec/controllers/controller_oauth2_spec.rb:39 # SorceryController using create_from supports nested attributes
rspec ./spec/controllers/controller_oauth2_spec.rb:47 # SorceryController using create_from does not crash on missing nested attributes
rspec ./spec/controllers/controller_oauth2_spec.rb:57 # SorceryController using create_from with a block does not create user
rspec './spec/controllers/controller_oauth2_spec.rb[1:5:1:2]' # SorceryController OAuth with session timeout features when facebook resets session after session timeout
rspec './spec/controllers/controller_oauth2_spec.rb[1:5:2:2]' # SorceryController OAuth with session timeout features when github resets session after session timeout
rspec './spec/controllers/controller_oauth2_spec.rb[1:5:3:2]' # SorceryController OAuth with session timeout features when google resets session after session timeout
rspec './spec/controllers/controller_oauth2_spec.rb[1:5:4:2]' # SorceryController OAuth with session timeout features when liveid resets session after session timeout
rspec './spec/controllers/controller_oauth2_spec.rb[1:5:5:2]' # SorceryController OAuth with session timeout features when vk resets session after session timeout
rspec './spec/controllers/controller_oauth2_spec.rb[1:5:6:2]' # SorceryController OAuth with session timeout features when salesforce resets session after session timeout
rspec './spec/controllers/controller_oauth2_spec.rb[1:5:7:2]' # SorceryController OAuth with session timeout features when slack resets session after session timeout
rspec './spec/controllers/controller_oauth2_spec.rb[1:5:8:2]' # SorceryController OAuth with session timeout features when discord resets session after session timeout
rspec './spec/controllers/controller_oauth2_spec.rb[1:5:9:2]' # SorceryController OAuth with session timeout features when battlenet resets session after session timeout
rspec ./spec/controllers/controller_oauth_spec.rb:136 # SorceryController  using 'create_from' creates a new user
rspec ./spec/controllers/controller_oauth_spec.rb:144 # SorceryController  using 'create_from' supports nested attributes
rspec ./spec/controllers/controller_oauth_spec.rb:152 # SorceryController  using 'create_from' does not crash on missing nested attributes
rspec ./spec/controllers/controller_oauth_spec.rb:172 # SorceryController  using 'create_from' with a block does not create user
rspec ./spec/controllers/controller_session_timeout_spec.rb:132 # SorceryController with session timeout features with 'session_timeout_from_last_action' does not logout if there was activity
rspec ./spec/controllers/controller_session_timeout_spec.rb:194 # SorceryController with session timeout features with remember_me module enable after session timeout resets session and remember_me
rspec ./spec/controllers/controller_spec.rb:67 # SorceryController when activated with sorcery #login when succeeds sets csrf token in session

Yes the 132 is failling too, i will investigate in depth in the weekend.

[jankoegel]

Yes, now we logout inside validate_session inside logged_in? só will return false then would not call before_logout.

I still don't follow what the problem is.

You're right that validate_session gets called pretty much at the start of the controller's before actions.
if the sessiong has been invalidated, with this PR, we now call logout.

Logout manually calls the before_ and after_logout! hooks: https://github.com/Sorcery/sorcery/blob/d9dc0bd80a3d5689398baea4489b14ed78e6c42d/lib/sorcery/controller.rb#L75

---

side note

• perhaps you have a similar problem

• we had to add a workaround in our code - basically a before_action that runs before validate_session since we're retroactively adding the session_timeout submodule to an existing app. All our users' current sessions have no login_time and no last_action_time.
  Do you understand why there's a fallback to Time.now here?
  https://github.com/Sorcery/sorcery/blob/d9dc0bd80a3d5689398baea4489b14ed78e6c42d/lib/sorcery/controller/submodules/session_timeout.rb#L71

  It basically means that all legacy sessions (created before the session_timeout feature was activated) cannot be invalidated.

  Our custom before_action works around this by setting the session's [:login_time] to Jan 1, 2023 - a date that's guaranteed to be earlier than our rollout date.