feat: allow session deletion without session token (#6889)

* fix: add resource owner of user and change the one of session to instance * use user resource owner from session projection * fix session permission check * integration tests and fixes * update api docs
2025-08-11 19:07:30 +00:00 · 2023-11-16 08:35:50 +02:00
parent 0948a0b9ae
commit 2e8c3b5a53
18 changed files with 448 additions and 301 deletions
--- a/internal/command/session_model.go
+++ b/internal/command/session_model.go
@@ -39,6 +39,7 @@ type SessionWriteModel struct {

 	TokenID              string
 	UserID               string
+	UserResourceOwner    string
 	UserCheckedAt        time.Time
 	PasswordCheckedAt    time.Time
 	IntentCheckedAt      time.Time
@@ -58,14 +59,14 @@ type SessionWriteModel struct {
 	aggregate *eventstore.Aggregate
 }

-func NewSessionWriteModel(sessionID string, resourceOwner string) *SessionWriteModel {
+func NewSessionWriteModel(sessionID string, instanceID string) *SessionWriteModel {
 	return &SessionWriteModel{
 		WriteModel: eventstore.WriteModel{
 			AggregateID:   sessionID,
-			ResourceOwner: resourceOwner,
+			ResourceOwner: instanceID,
 		},
 		Metadata:  make(map[string][]byte),
-		aggregate: &session.NewAggregate(sessionID, resourceOwner).Aggregate,
+		aggregate: &session.NewAggregate(sessionID, instanceID).Aggregate,
 	}
 }

@@ -141,6 +142,7 @@ func (wm *SessionWriteModel) reduceAdded(e *session.AddedEvent) {

 func (wm *SessionWriteModel) reduceUserChecked(e *session.UserCheckedEvent) {
 	wm.UserID = e.UserID
+	wm.UserResourceOwner = e.UserResourceOwner
 	wm.UserCheckedAt = e.CheckedAt
 }