Revoke session tokens on logout.

Author: adsnaider

migrations/2022-02-21-211645_create_sessions/up.sql

@@ -3,10 +3,7 @@ CREATE TABLE persistent_sessions
     id SERIAL
         CONSTRAINT persistent_sessions_pk
             PRIMARY KEY,
-    user_id INTEGER NOT NULL
-        CONSTRAINT persistent_sessions_users_id_fk
-            REFERENCES users
-            ON UPDATE CASCADE ON DELETE CASCADE,
+    user_id INTEGER NOT NULL,
     hashed_token bytea NOT NULL,
     created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP NOT NULL,
     last_used_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP NOT NULL,
@@ -17,5 +14,5 @@ CREATE TABLE persistent_sessions
 
 COMMENT ON TABLE persistent_sessions IS 'This table contains the hashed tokens for all of the cookie-based persistent sessions';
 
-CREATE INDEX persistent_sessions_user_id_index
-    ON persistent_sessions (user_id);
+CREATE INDEX persistent_sessions_token_index
+    ON persistent_sessions (hashed_token);

src/controllers/user/session.rs

@@ -168,7 +168,24 @@ fn save_user_to_database(
 
 /// Handles the `DELETE /api/private/session` route.
 pub fn logout(req: &mut dyn RequestExt) -> EndpointResult {
+    // TODO(adsnaider): Remove this.
     req.session_mut().remove(&"user_id".to_string());
+    if let Some(session_token) = req
+        .cookies()
+        .get(SESSION_COOKIE_NAME)
+        .map(|cookie| cookie.value().to_string())
+    {
+        req.cookies_mut().remove(Cookie::named(SESSION_COOKIE_NAME));
+
+        if let Ok(conn) = req.db_conn() {
+            match PersistentSession::revoke_from_token(&conn, &session_token) {
+                Ok(0) => {}
+                Ok(1) => {}
+                Ok(_count) => {}
+                Err(_e) => {}
+            }
+        }
+    }
     Ok(req.json(&true))
 }
 

src/models/persistent_session.rs

@@ -2,9 +2,11 @@ use chrono::NaiveDateTime;
 use diesel::prelude::*;
 use ipnetwork::IpNetwork;
 use std::net::IpAddr;
+use thiserror::Error;
 
 use crate::schema::persistent_sessions;
 use crate::util::token::SecureToken;
+use crate::util::token::SecureTokenKind;
 
 #[derive(Clone, Debug, PartialEq, Eq, Identifiable, Queryable)]
 #[table_name = "persistent_sessions"]
@@ -19,6 +21,14 @@ pub struct PersistentSession {
     pub last_user_agent: String,
 }
 
+#[derive(Error, Debug, PartialEq)]
+pub enum SessionError {
+    #[error("token prefix doesn't match session tokens")]
+    InvalidSessionToken,
+    #[error("database manipulation error")]
+    DieselError(#[from] diesel::result::Error),
+}
+
 impl PersistentSession {
     pub fn create<'a, 'b>(
         user_id: i32,
@@ -33,6 +43,19 @@ impl PersistentSession {
             last_user_agent,
         }
     }
+
+    pub fn revoke_from_token(conn: &PgConnection, token: &str) -> Result<usize, SessionError> {
+        let hashed_token = SecureToken::parse(SecureTokenKind::Session, token)
+            .ok_or(SessionError::InvalidSessionToken)?;
+        let sessions = persistent_sessions::table
+            .filter(persistent_sessions::hashed_token.eq(hashed_token))
+            .filter(persistent_sessions::revoked.eq(false));
+
+        diesel::update(sessions)
+            .set(persistent_sessions::revoked.eq(true))
+            .execute(conn)
+            .map_err(SessionError::DieselError)
+    }
 }
 
 #[derive(Clone, Debug, PartialEq, Eq, Insertable)]

src/schema.rs

@@ -1082,7 +1082,6 @@ joinable!(dependencies -> versions (version_id));
 joinable!(emails -> users (user_id));
 joinable!(follows -> crates (crate_id));
 joinable!(follows -> users (user_id));
-joinable!(persistent_sessions -> users (user_id));
 joinable!(publish_limit_buckets -> users (user_id));
 joinable!(publish_rate_overrides -> users (user_id));
 joinable!(readme_renderings -> versions (version_id));