feat: allow session deletion without session token (#6889)

* fix: add resource owner of user and change the one of session to instance * use user resource owner from session projection * fix session permission check * integration tests and fixes * update api docs
2025-08-11 20:57:31 +00:00 · 2023-11-16 08:35:50 +02:00
parent 0948a0b9ae
commit 2e8c3b5a53
18 changed files with 448 additions and 301 deletions
--- a/internal/command/session_webauhtn.go
+++ b/internal/command/session_webauhtn.go
@@ -29,9 +29,9 @@ func (s *SessionCommands) getHumanWebAuthNTokens(ctx context.Context, userVerifi
 }

 func (s *SessionCommands) getHumanWebAuthNTokenReadModel(ctx context.Context, userVerification domain.UserVerificationRequirement) (readModel HumanWebAuthNTokensReadModel, err error) {
-	readModel = NewHumanU2FTokensReadModel(s.sessionWriteModel.UserID, "")
+	readModel = NewHumanU2FTokensReadModel(s.sessionWriteModel.UserID, s.sessionWriteModel.UserResourceOwner)
 	if userVerification == domain.UserVerificationRequirementRequired {
-		readModel = NewHumanPasswordlessTokensReadModel(s.sessionWriteModel.UserID, "")
+		readModel = NewHumanPasswordlessTokensReadModel(s.sessionWriteModel.UserID, s.sessionWriteModel.UserResourceOwner)
 	}
 	err = s.eventstore.FilterToQueryReducer(ctx, readModel)
 	if err != nil {