feat: allow session deletion without session token (#6889)

* fix: add resource owner of user and change the one of session to instance * use user resource owner from session projection * fix session permission check * integration tests and fixes * update api docs
2025-08-11 21:17:32 +00:00 · 2023-11-16 08:35:50 +02:00
parent 0948a0b9ae
commit 2e8c3b5a53
18 changed files with 448 additions and 301 deletions
--- a/internal/api/grpc/session/v2/session.go
+++ b/internal/api/grpc/session/v2/session.go
@@ -355,7 +355,7 @@ func (s *Server) checksToCommand(ctx context.Context, checks *session.Checks) ([

 		// trigger activity log for session for user
 		activity.Trigger(ctx, user.ResourceOwner, user.ID, activity.SessionAPI)
-		sessionChecks = append(sessionChecks, command.CheckUser(user.ID))
+		sessionChecks = append(sessionChecks, command.CheckUser(user.ID, user.ResourceOwner))
 	}
 	if password := checks.GetPassword(); password != nil {
 		sessionChecks = append(sessionChecks, command.CheckPassword(password.GetPassword()))
--- a/internal/api/grpc/session/v2/session_integration_test.go
+++ b/internal/api/grpc/session/v2/session_integration_test.go
@@ -158,7 +158,7 @@ func TestServer_CreateSession(t *testing.T) {
 			},
 			want: &session.CreateSessionResponse{
 				Details: &object.Details{
-					ResourceOwner: Tester.Organisation.ID,
+					ResourceOwner: Tester.Instance.InstanceID(),
 				},
 			},
 		},
@@ -177,7 +177,7 @@ func TestServer_CreateSession(t *testing.T) {
 			},
 			want: &session.CreateSessionResponse{
 				Details: &object.Details{
-					ResourceOwner: Tester.Organisation.ID,
+					ResourceOwner: Tester.Instance.InstanceID(),
 				},
 			},
 			wantUserAgent: &session.UserAgent{
@@ -205,7 +205,7 @@ func TestServer_CreateSession(t *testing.T) {
 			},
 			want: &session.CreateSessionResponse{
 				Details: &object.Details{
-					ResourceOwner: Tester.Organisation.ID,
+					ResourceOwner: Tester.Instance.InstanceID(),
 				},
 			},
 			wantExpirationWindow: 5 * time.Minute,
@@ -224,7 +224,7 @@ func TestServer_CreateSession(t *testing.T) {
 			},
 			want: &session.CreateSessionResponse{
 				Details: &object.Details{
-					ResourceOwner: Tester.Organisation.ID,
+					ResourceOwner: Tester.Instance.InstanceID(),
 				},
 			},
 			wantFactors: []wantFactor{wantUserFactor},
@@ -660,6 +660,77 @@ func TestServer_SetSession_expired(t *testing.T) {
 	require.Error(t, err)
 }

+func TestServer_DeleteSession_token(t *testing.T) {
+	createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{})
+	require.NoError(t, err)
+
+	_, err = Client.DeleteSession(CTX, &session.DeleteSessionRequest{
+		SessionId:    createResp.GetSessionId(),
+		SessionToken: gu.Ptr("invalid"),
+	})
+	require.Error(t, err)
+
+	_, err = Client.DeleteSession(CTX, &session.DeleteSessionRequest{
+		SessionId:    createResp.GetSessionId(),
+		SessionToken: gu.Ptr(createResp.GetSessionToken()),
+	})
+	require.NoError(t, err)
+}
+
+func TestServer_DeleteSession_own_session(t *testing.T) {
+	// create two users for the test and a session each to get tokens for authorization
+	user1 := Tester.CreateHumanUser(CTX)
+	Tester.SetUserPassword(CTX, user1.GetUserId(), integration.UserPassword)
+	_, token1, _, _ := Tester.CreatePasswordSession(t, CTX, user1.GetUserId(), integration.UserPassword)
+
+	user2 := Tester.CreateHumanUser(CTX)
+	Tester.SetUserPassword(CTX, user2.GetUserId(), integration.UserPassword)
+	_, token2, _, _ := Tester.CreatePasswordSession(t, CTX, user2.GetUserId(), integration.UserPassword)
+
+	// create a new session for the first user
+	createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{
+		Checks: &session.Checks{
+			User: &session.CheckUser{
+				Search: &session.CheckUser_UserId{
+					UserId: user1.GetUserId(),
+				},
+			},
+		},
+	})
+	require.NoError(t, err)
+
+	// delete the new (user1) session must not be possible with user (has no permission)
+	_, err = Client.DeleteSession(Tester.WithAuthorizationToken(context.Background(), token2), &session.DeleteSessionRequest{
+		SessionId: createResp.GetSessionId(),
+	})
+	require.Error(t, err)
+
+	// delete the new (user1) session by himself
+	_, err = Client.DeleteSession(Tester.WithAuthorizationToken(context.Background(), token1), &session.DeleteSessionRequest{
+		SessionId: createResp.GetSessionId(),
+	})
+	require.NoError(t, err)
+}
+
+func TestServer_DeleteSession_with_permission(t *testing.T) {
+	createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{
+		Checks: &session.Checks{
+			User: &session.CheckUser{
+				Search: &session.CheckUser_UserId{
+					UserId: User.GetUserId(),
+				},
+			},
+		},
+	})
+	require.NoError(t, err)
+
+	// delete the new session by ORG_OWNER
+	_, err = Client.DeleteSession(Tester.WithAuthorization(context.Background(), integration.OrgOwner), &session.DeleteSessionRequest{
+		SessionId: createResp.GetSessionId(),
+	})
+	require.NoError(t, err)
+}
+
 func Test_ZITADEL_API_missing_authentication(t *testing.T) {
 	// create new, empty session
 	createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{})