search

jeremyevans / rodauth

Ruby's Most Advanced Authentication Framework
http://rodauth.jeremyevans.net
MIT License
1.65k stars 95 forks source link

Fallback to account_id if session_value is not set for selecting active sessions #401

Closed enescakir closed 3 months ago

enescakir commented 3 months ago

When active_sessions_ds uses session_value to select active sessions, it doesn't return the sessions for not-logged in users. This makes helpers like remove_all_active_sessions ineffective. In such situations, we can use account_id as a fallback to select the active session.

jeremyevans commented 3 months ago

Looks good, thanks for the patch!

bjeanes commented 1 month ago

@jeremyevans would you be willing to cut a release that includes this soon? This will allow me to apply a clean-up (which I had initially tried to resolve in #137):

diff --git a/app/core/authentication/rodauth_common.rb b/app/core/authentication/rodauth_common.rb
index 4458d0344..5a195f4f8 100644
--- a/app/core/authentication/rodauth_common.rb
+++ b/app/core/authentication/rodauth_common.rb
@@ -374,14 +374,7 @@ module Authentication
         super() if defined?(super)

         transaction do
-          # Expire all active sessions
-          #
-          # Unfortunately, can't use `remove_all_active_sessions` as it tries to read account_id from session, but we are
-          # not logged in. See https://github.com/jeremyevans/rodauth/pull/137
-          db[active_sessions_table]
-            .where(active_sessions_account_id_column => account_id)
-            .delete
-
+          remove_all_active_sessions
           disable_remember_login # expire all remember tokens
         end
       end
jeremyevans commented 1 month ago

Sure, I can work on a release. Sorry about the delay.