class RefreshSession(PsycopgResource):
"""
Provides a resource for refreshing a user's session token.
If the provided session token is valid and not expired, it is replaced with a new one.
"""
@handle_exceptions
def post(self) -> Dict[str, Any]:
"""
Processes the session token refresh request. If the provided session token is valid,
it generates a new session token, invalidates the old one, and returns the new token.
Returns:
- A dictionary containing a message of success or failure, and the new session token if successful.
"""
# ...
cursor.execute(
f"delete from session_tokens where token = '{old_token}' and expiration_date < '{dt.utcnow()}'"
)
# ...
Unless I'm missing something, and expiration_date < '{dt.utcnow()} is unnecessary and adds a bug: Each session token should be unique, so that should be sufficient. And since we're refreshing a session token, the expiration date shouldn't matter. As is, this means that if /refresh_session is called before the session token expires, the previous session token will still exist in the database, even as a new session token is created.
This part of the where clause should thus be removed. To be safe, tests should make sure that no unexpected downstream effects occur from getting rid of this.
Here is the script for RefreshSession:
Unless I'm missing something,
and expiration_date < '{dt.utcnow()}is unnecessary and adds a bug: Each session token should be unique, so that should be sufficient. And since we're refreshing a session token, the expiration date shouldn't matter. As is, this means that if/refresh_sessionis called before the session token expires, the previous session token will still exist in the database, even as a new session token is created.This part of the where clause should thus be removed. To be safe, tests should make sure that no unexpected downstream effects occur from getting rid of this.