Page MenuHomePhabricator

[lib][web][native] Pass preRequestUserState into invalidSessionRecovery
ClosedPublic

Authored by inka on Apr 11 2024, 6:05 AM.
Tags
None
Referenced Files
Unknown Object (File)
Sun, Dec 8, 4:56 PM
Unknown Object (File)
Thu, Nov 28, 10:50 PM
Unknown Object (File)
Thu, Nov 28, 8:27 PM
Unknown Object (File)
Thu, Nov 28, 6:27 PM
Unknown Object (File)
Nov 25 2024, 7:12 AM
Unknown Object (File)
Nov 6 2024, 8:53 AM
Unknown Object (File)
Nov 3 2024, 9:24 AM
Unknown Object (File)
Oct 15 2024, 4:47 PM
Subscribers

Details

Summary

issue: ENG-6126
We want to cross reference the user info from before the action was called with the current user info, to check if the same user is still logged in. Otherwise we could end up overriding a new users session with a recovery that was startd for the previous user.

Test Plan

Tested on both platforms that normal logins and loguts work as expected
Tested on native that if a COOKIE_INVALIDATION_RESOLUTION_ATTEMPT login with a different user id is dispatched, then the action is disregarded

Diff Detail

Repository
rCOMM Comm
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

inka requested review of this revision.Apr 11 2024, 6:25 AM
tomek added inline comments.
lib/actions/siwe-actions.js
83 ↗(On Diff #39056)

Why do we set it to null?

native/redux/redux-setup.js
203–210 ↗(On Diff #39056)

What's the reason behind having preRequestUserState in one and preRequestUserInfo in another? Can we make this consistent?

203–210 ↗(On Diff #39056)

Are the old values the same as the new ones, or are we introducing a change in the logic here?

This revision is now accepted and ready to land.Apr 15 2024, 1:21 AM
lib/actions/siwe-actions.js
83 ↗(On Diff #39056)

Siwe auth is never a recovery, so we know the user was logged out

native/redux/redux-setup.js
203–210 ↗(On Diff #39056)

This changes the logic, because this fixes it:
invalidSessionRecovery is supposed to check if the user that is logged in is the same user as the one for whom the action was dispatched. It's not a valid session recovery, if it's a different user. For login this change shouldn't change anything, since the user info returned by login should be the same as the user info before the login (unless the user was logged out before the login, but that is handled as well). For session change the new user info can be a logged out user info though, so we need to check the preRequestUserState

203–210 ↗(On Diff #39056)

PreRequestUserState includes

+cookiesAndSessions: {
  +[keyserverID: string]: PreRequestUserKeyserverSessionInfo,
},

which are needed for setNewSessionActionType. They are not needed for logInActionTypes, so we don't include them there. So I would rather leave this as is, and not make the login action unnecessarily large.

This diff led to ENG-7706 because preRequestUserState was not correctly stripped from calls to keyserver