LoginSessionMiddleware logs out user on token validation

[reimerwilliam]

Using the Graphql 4 upgrade branch from unclecheese you won't be able to validate a token due to the LoginSessionMiddleware from silverstripe/session-manager not being able to find a session and therefore calling logOut on the IdentityStore. A temporary fix to this problem is to disable that middleware.

The code causing the problem in LoginSessionMiddleware:

$loginSessionID = $request->getSession()->get($loginHandler->getSessionVariable());
$loginSession = LoginSession::get()->byID($loginSessionID);

// If the session has already been revoked, or we've got a mismatched
// member / session, log the user out (this also revokes the session)
if (!$loginSession || (int)$loginSession->MemberID !== (int)$member->ID) {
    RememberLoginHash::setLogoutAcrossDevices(false);
    $identityStore = Injector::inst()->get(IdentityStore::class);
    $identityStore->logOut($request);
    return $delegate($request);
}

The versions I used when encountering this issue: silverstripe/cms: 4.10.2 silverstripe/framework: 4.10.10 silverstripe/graphql: 4.0.0-alpha3

There was a short discussion regarding this in the slack channel: https://silverstripe-users.slack.com/archives/C39NVTQNQ/p1658213656127059

[Firesphere]

Tagging @tractorcow @unclecheese

[unclecheese]

Where is LoginSessionMiddleware? I don't see it anywhere in the core or this module.

[reimerwilliam]

Where is LoginSessionMiddleware? I don't see it anywhere in the core or this module.

It's in silverstripe/session-manager.

[ec8or]

Happening to me as well, @tractorcow did you manage to have a look? I've disabled LoginSessionMiddleware for now but will poke around a bit more tomorrow and see if I can figure out what's going on.

[Firesphere]

I might have a look somewhere this weekend... but no promises...