feat: allow session deletion without session token (#6889)

* fix: add resource owner of user and change the one of session to instance * use user resource owner from session projection * fix session permission check * integration tests and fixes * update api docs
2025-08-11 18:57:32 +00:00 · 2023-11-16 08:35:50 +02:00
parent 0948a0b9ae
commit 2e8c3b5a53
18 changed files with 448 additions and 301 deletions
--- a/internal/command/auth_request.go
+++ b/internal/command/auth_request.go
@@ -90,7 +90,7 @@ func (c *Commands) LinkSessionToAuthRequest(ctx context.Context, id, sessionID,
 	if checkLoginClient && authz.GetCtxData(ctx).UserID != writeModel.LoginClient {
 		return nil, nil, errors.ThrowPermissionDenied(nil, "COMMAND-rai9Y", "Errors.AuthRequest.WrongLoginClient")
 	}
-	sessionWriteModel := NewSessionWriteModel(sessionID, authz.GetCtxData(ctx).OrgID)
+	sessionWriteModel := NewSessionWriteModel(sessionID, authz.GetInstance(ctx).InstanceID())
 	err = c.eventstore.FilterToQueryReducer(ctx, sessionWriteModel)
 	if err != nil {
 		return nil, nil, err
@@ -98,7 +98,7 @@ func (c *Commands) LinkSessionToAuthRequest(ctx context.Context, id, sessionID,
 	if err = sessionWriteModel.CheckIsActive(); err != nil {
 		return nil, nil, err
 	}
-	if err := c.sessionPermission(ctx, sessionWriteModel, sessionToken, domain.PermissionSessionWrite); err != nil {
+	if err := c.sessionTokenVerifier(ctx, sessionToken, sessionWriteModel.AggregateID, sessionWriteModel.TokenID); err != nil {
 		return nil, nil, err
 	}