fix: correctly set user agent / fingerprint id on user sessions (#8231)

# Which Problems Are Solved When we switched to V2 tokens (#7822), the user agent was incorrectly set for sessions created though the login UI. Additionally, when calling the ListMyUserSessions from the AuthService, any session without the fingerprint ID (e.g. created through the session API) would be listed. # How the Problems Are Solved - Use the intended ID of the user agent (fingerprint) - Ignore empty user agent IDs when listing the user sessions # Additional Changes None. # Additional Context - relates #7822 - closes #8213
2025-08-11 08:17:43 +00:00 · 2024-07-03 09:43:34 +02:00
parent c8e168ac69
commit 08a75635d2
5 changed files with 13 additions and 12 deletions
--- a/internal/api/oidc/auth_request.go
+++ b/internal/api/oidc/auth_request.go
@@ -555,7 +555,7 @@ func (s *Server) authResponseToken(authReq *AuthRequest, authorizer op.Authorize
 		authReq.AuthTime,
 		authReq.GetNonce(),
 		authReq.PreferredLanguage,
-		authReq.BrowserInfo.ToUserAgent(),
+		authReq.ToUserAgent(),
 		domain.TokenReasonAuthRequest,
 		nil,
 		slices.Contains(scope, oidc.ScopeOfflineAccess),
--- a/internal/api/oidc/token_code.go
+++ b/internal/api/oidc/token_code.go
@@ -81,7 +81,7 @@ func (s *Server) codeExchangeV1(ctx context.Context, client *Client, req *oidc.A
 		authReq.AuthTime,
 		authReq.GetNonce(),
 		authReq.PreferredLanguage,
-		authReq.BrowserInfo.ToUserAgent(),
+		authReq.ToUserAgent(),
 		domain.TokenReasonAuthRequest,
 		nil,
 		slices.Contains(scope, oidc.ScopeOfflineAccess),
--- a/internal/api/ui/login/device_auth.go
+++ b/internal/api/ui/login/device_auth.go
@@ -162,7 +162,7 @@ func (l *Login) handleDeviceAuthAction(w http.ResponseWriter, r *http.Request) {
 	action := mux.Vars(r)["action"]
 	switch action {
 	case deviceAuthAllowed:
-		_, err = l.command.ApproveDeviceAuth(r.Context(), authDev.DeviceCode, authReq.UserID, authReq.UserOrgID, authReq.UserAuthMethodTypes(), authReq.AuthTime, authReq.PreferredLanguage, authReq.BrowserInfo.ToUserAgent())
+		_, err = l.command.ApproveDeviceAuth(r.Context(), authDev.DeviceCode, authReq.UserID, authReq.UserOrgID, authReq.UserAuthMethodTypes(), authReq.AuthTime, authReq.PreferredLanguage, authReq.ToUserAgent())
 	case deviceAuthDenied:
 		_, err = l.command.CancelDeviceAuth(r.Context(), authDev.DeviceCode, domain.DeviceAuthCanceledDenied)
 	default:
--- a/internal/domain/browser_info.go
+++ b/internal/domain/browser_info.go
@@ -23,14 +23,15 @@ func BrowserInfoFromRequest(r *net_http.Request) *BrowserInfo {
 	}
 }

-func (b *BrowserInfo) ToUserAgent() *UserAgent {
-	if b == nil {
-		return nil
+func (a *AuthRequest) ToUserAgent() *UserAgent {
+	agent := &UserAgent{
+		FingerprintID: &a.AgentID,
 	}
-	return &UserAgent{
-		FingerprintID: &b.UserAgent,
-		IP:            b.RemoteIP,
-		Description:   &b.UserAgent,
-		Header:        b.Header,
+	if a.BrowserInfo == nil {
+		return agent
 	}
+	agent.IP = a.BrowserInfo.RemoteIP
+	agent.Description = &a.BrowserInfo.UserAgent
+	agent.Header = a.BrowserInfo.Header
+	return agent
 }
--- a/internal/user/repository/view/user_sessions_by_user_agent.sql
+++ b/internal/user/repository/view/user_sessions_by_user_agent.sql
@@ -22,6 +22,6 @@ FROM auth.user_sessions s
         LEFT JOIN projections.users13 u ON s.user_id = u.id AND s.instance_id = u.instance_id
         LEFT JOIN projections.users13_humans h ON s.user_id = h.user_id AND s.instance_id = h.instance_id
         LEFT JOIN projections.login_names3 l ON s.user_id = l.user_id AND s.instance_id = l.instance_id AND l.is_primary = true
-WHERE (s.user_agent_id = $1)
+WHERE (s.user_agent_id = $1 and s.user_agent_id <> '')
  AND (s.instance_id = $2)
 ;