added fix for active indexed tokens + improved data structure for wallet description

2025-12-22 18:30:15 +01:00
parent 2d6586430f
commit dfad7fb335
18 changed files with 307 additions and 26 deletions
--- a/api/pkg/db/internal/mongo/refreshtokensdb/db.go
+++ b/api/pkg/db/internal/mongo/refreshtokensdb/db.go
@@ -37,7 +37,9 @@ func Create(logger mlogger.Logger, db *mongo.Database) (*RefreshTokenDB, error)
 			{Field: "clientId", Sort: ri.Asc},
 			{Field: "deviceId", Sort: ri.Asc},
 		},
-		Unique: true,
+		Unique:        true,
+		Name:          "unique_active_session",
+		PartialFilter: repository.Filter(IsRevokedField, false),
 	}); err != nil {
 		p.Logger.Error("Failed to create unique account/client/device index", zap.Error(err))
 		return nil, err
--- a/api/pkg/db/internal/mongo/refreshtokensdb/refreshtokensdb_test.go
+++ b/api/pkg/db/internal/mongo/refreshtokensdb/refreshtokensdb_test.go
@@ -10,23 +10,29 @@ import (
 	"testing"
 	"time"

+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 	"github.com/tech/sendico/pkg/db/internal/mongo/refreshtokensdb"
 	"github.com/tech/sendico/pkg/db/repository"
 	"github.com/tech/sendico/pkg/db/repository/builder"
 	"github.com/tech/sendico/pkg/merrors"
 	factory "github.com/tech/sendico/pkg/mlogger/factory"
 	"github.com/tech/sendico/pkg/model"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
 	"github.com/testcontainers/testcontainers-go"
 	"github.com/testcontainers/testcontainers-go/modules/mongodb"
 	"github.com/testcontainers/testcontainers-go/wait"
+	"go.mongodb.org/mongo-driver/bson"
 	"go.mongodb.org/mongo-driver/bson/primitive"
 	"go.mongodb.org/mongo-driver/mongo"
 	"go.mongodb.org/mongo-driver/mongo/options"
 )

 func setupTestDB(t *testing.T) (*refreshtokensdb.RefreshTokenDB, func()) {
+	db, _, cleanup := setupTestDBWithMongo(t)
+	return db, cleanup
+}
+
+func setupTestDBWithMongo(t *testing.T) (*refreshtokensdb.RefreshTokenDB, *mongo.Database, func()) {
 	// mark as helper for better test failure reporting
 	t.Helper()

@@ -62,7 +68,7 @@ func setupTestDB(t *testing.T) (*refreshtokensdb.RefreshTokenDB, func()) {
 		_ = mongoContainer.Terminate(termCtx)
 	}

-	return db, cleanup
+	return db, database, cleanup
 }

 func createTestRefreshToken(accountRef primitive.ObjectID, clientID, deviceID, token string) *model.RefreshToken {
@@ -332,6 +338,63 @@ func TestRefreshTokenDB_SessionReplacement(t *testing.T) {
 		_, err = db.GetByCRT(ctx, secondCRT)
 		require.NoError(t, err)
 	})
+
+	t.Run("Create_After_GlobalRevocation_AllowsNewActive", func(t *testing.T) {
+		userID := primitive.NewObjectID()
+		clientID := "web-app"
+		deviceID := "user-laptop"
+
+		firstToken := createTestRefreshToken(userID, clientID, deviceID, "revoked_token_123")
+		err := db.Create(ctx, firstToken)
+		require.NoError(t, err)
+		require.NotNil(t, firstToken.GetID())
+
+		// Global revoke (deviceID empty) — all tokens should be revoked
+		err = db.RevokeAll(ctx, userID, "")
+		require.NoError(t, err)
+
+		var revoked model.RefreshToken
+		err = db.Get(ctx, *firstToken.GetID(), &revoked)
+		require.NoError(t, err)
+		assert.True(t, revoked.IsRevoked)
+
+		// Creating a new token for the same account/client/device must succeed and produce an active token
+		reissueToken := createTestRefreshToken(userID, clientID, deviceID, "new_token_after_revocation")
+		err = db.Create(ctx, reissueToken)
+		require.NoError(t, err)
+
+		newCRT := &model.ClientRefreshToken{
+			SessionIdentifier: model.SessionIdentifier{
+				ClientID: clientID,
+				DeviceID: deviceID,
+			},
+			RefreshToken: "new_token_after_revocation",
+		}
+		_, err = db.GetByCRT(ctx, newCRT)
+		require.NoError(t, err)
+
+		// Old token must remain unusable
+		oldCRT := &model.ClientRefreshToken{
+			SessionIdentifier: model.SessionIdentifier{
+				ClientID: clientID,
+				DeviceID: deviceID,
+			},
+			RefreshToken: "revoked_token_123",
+		}
+		_, err = db.GetByCRT(ctx, oldCRT)
+		assert.Error(t, err)
+
+		// Both records exist: revoked + new active
+		query := repository.Query().
+			Filter(repository.AccountField(), userID).
+			And(
+				repository.Query().Comparison(repository.Field("clientId"), builder.Eq, clientID),
+				repository.Query().Comparison(repository.Field("deviceId"), builder.Eq, deviceID),
+			)
+		ids, err := db.Repository.ListIDs(ctx, query)
+		require.NoError(t, err)
+		assert.Len(t, ids, 2)
+	})
 }

 func TestRefreshTokenDB_ClientManagement(t *testing.T) {
@@ -637,3 +700,29 @@ func TestRefreshTokenDB_DatabaseIndexes(t *testing.T) {
 		assert.Len(t, ids, 5) // Should find 5 non-revoked tokens
 	})
 }
+
+func TestRefreshTokenDB_IndexPartialUniqueActiveSession(t *testing.T) {
+	db, database, cleanup := setupTestDBWithMongo(t)
+	defer cleanup()
+
+	ctx := context.Background()
+
+	cursor, err := database.Collection(db.Repository.Collection()).Indexes().List(ctx)
+	require.NoError(t, err)
+	defer cursor.Close(ctx)
+
+	found := false
+	for cursor.Next(ctx) {
+		var idx bson.M
+		require.NoError(t, cursor.Decode(&idx))
+		if idx["name"] == "unique_active_session" {
+			found = true
+			assert.Equal(t, true, idx["unique"])
+
+			partial, ok := idx["partialFilterExpression"].(bson.M)
+			require.True(t, ok)
+			assert.Equal(t, bson.M{"isRevoked": false}, partial)
+		}
+	}
+	assert.True(t, found, "unique_active_session index not found")
+}