Fix EZP-26179: REST session refresh must throw a 404 if session has expired

[bdunogier]

Relates to EZP-26179 / ezsystems/platform-ui-bundle#668
Implements EZP-26720 (use session auth in REST functional tests)
Fixes EZP-25038 (error when logging in with REST if a session was started before)

According to the specifications, /api/ezp/v2/user/sessions/<id>/refresh must throw a 404 if the session doesn't exist / has expired.

Because of the CSRF token check in the CsrfListener, a 401 is thrown because the csrf token verification fails, as the session has expired, and we don't have a stored token anymore.

This changes the CsrfListener to skip this route, and explicitly checks in the refresh controller action if the token has expired using the Csrf TokenStorage.

[andrerom]

Some questions:

• what is going on in catch (SessionUnavailableException $e) => it seems RestNotFoundException is not thrown anymore => and is logout safe not matter what? (session id change, session deleted, ..)
• is there any possibility of get login to reuse the new abstract methods?
• we also talked about doing similar things to DELETE, still on the agenda or not relevant?

:)

[dpobel]

it seems to work :)

we also talked about doing similar things to DELETE, still on the agenda or not relevant?

As far as I can tell, that's not strictly needed to fix the original issue but IMHO, it would make sense to have the same behavior when deleting the session through REST.

[dpobel]

now it does more than just checking if we try to login the user

[bdunogier]

Deprecated in favour of isSessionRoute($route)

[dpobel]

in addition to the previous comments, it would also be nice to complete https://github.com/ezsystems/ezpublish-kernel/blob/master/doc/specifications/rest/REST-API-V2.rst#refresh-session-get-sessions-user-information (and potentially the DELETE part as well) to precise that the session cookie is also deleted in error cases.

[bdunogier]

we also talked about doing similar things to DELETE, still on the agenda or not relevant?

Changed to use the same behaviour (ignored in CsrfListener, check if we have a token in the controller).

what is going on in catch (SessionUnavailableException $e) => it seems RestNotFoundException is not thrown anymore => and is logout safe not matter what? (session id change, session deleted, ..)

Yes. I've decided to take a shortcut and return a response here. RestNotFoundException implies that visitors are able to do that. The DeletedUserSession one does it by passing the Response object returned by logout(), and have the visitor copy the headers. I found it a bit heavy, and not that useful, since we don't even have a response body, and chose to return a response directly, since we have one.

[bdunogier]

But now I'm thinking that the csrf check in refresh and delete session are a bit wrong: the actual value of the csrf token won't be checked, since we only use the TokenStorage to check if there is a token.

I guess that we should first check if there is a token, and if there isn't, throw a 404. Then if we have a token, check that the token that was provided as input is correct.

[bdunogier]

Added csrf-token value check in both refresh and delete session. Also reorganized the code a little bit.

[andrerom]

given it is deprecated and not used this change should be removed I guess.

[bdunogier]

Good point :-)

[bdunogier]

Updated createSession() to use the newly added methods, improves readability a lot.

Will consider fixing the case where a session exists without a csrf token fixed (reported in JIRA), preventing from logging into PlatformUI if a frontend session was previously created.

[andrerom]

Will consider fixing the case where a session exists without a csrf token fixed (reported in JIRA), preventing from logging into PlatformUI if a frontend session was previously created.

Did you think about how we can do that?
Also note that issue was reported on 1.3.

Otherwise PR looks good :)

[bdunogier]

@andrerom : see d0f758b :)

Do we need to fix it in 1.3 ?

[bdunogier]

We should be good for review, everything's in.

[andrerom]

temp change?

[bdunogier]

I need to rephrase that a bit. This particular test breaks roles in the database, and prevents further tests from working.

[bdunogier]

Marked the test as skipped with the reason.

[andrerom]

Besides comment, +1

Do we need to fix it in 1.3 ?

Not a must, stay with current target.

[bdunogier]

@pcardiga : this is ready for QA. There are several fixes / changes in there. They must be tested on 1.4.x. A new version will be issued for master:

EZP-25038

If a session was started from the frontend (just use /#, it is impossible to log into PlatformUI without clearing the session cookie first. When it happens, REST will respond with a 401 because of a missing csrf token.

EZP-26179

This is the main issue fixed by this PR. It changes the behaviour of both refresh and delete session.

From a REST perspective, if either is used while a session has expired, they will now throw a 404, and delete the session cookie, instead of a 401 because of a missing csrf token.

From the UI, without this patch, if the session expires while on PlatformUI, it will be impossible to login again to the UI without deleting the session cookie. This can be tested together with ezsystems/platform-ui-bundle#668 on PlatformUI. Set sessions to expire quickly (session.gc_divisor = 1 + session.gc_maxlifetime = 10 will get sessions to expire after 10 seconds, and be garbage collected right away). Wait for the session to expire while logged into PlatformUI, and click on anything. Without the patches, you will get an error, and you will be unable to login again. With the patch, you will be redirected to the login screen, and be able to login again.

[pcardiga]

@bdunogier:
@miguelcleverti, on behalf of QA, is on it.
Meamwhile, following the new procedures, QA should also have a jira ticket in his kanban column and I see that both EZP-25038 and EZP-26179 are on development column. Can the main related issue be moved to QA?

[miguelcleverti]

@bdunogier

I was not able to reproduce the issue EZP-25038 only using the /# route but using the EventHandler provided in the jira issue I reproduced and tested it. Everything ok.

The issue EZP-26179 was tested using the ezsystems/platform-ui-bundle#668 as well and everything was ok. The only issue I had was not being able to make the garbage collector work after 10s, so I manually deleted the sessions. Doing this the response status return was a 404 instead of 401 and the PlatformUI redirected to the login.

These issues were tested on 1.4.x

[bdunogier]

I was not able to reproduce the issue EZP-25038 only using the /# route

Odd, this is how I trigger this case in the REST functional tests.

[bdunogier]

The error is a 1.4 related one. Composer didn't install the tested branch, but 5.4.2-rc1. This means that platform wasn't set to basic auth, and tests try to run with basic auth, hence the failure on everything that requires permissions other than anonymous.

Tested locally, with a 1.4 install frm scratch and the PR's branch, and it works as expected.