feat: allow session deletion without session token (#6889)

* fix: add resource owner of user and change the one of session to instance * use user resource owner from session projection * fix session permission check * integration tests and fixes * update api docs
2025-08-11 20:57:31 +00:00 · 2023-11-16 08:35:50 +02:00
parent 0948a0b9ae
commit 2e8c3b5a53
18 changed files with 448 additions and 301 deletions
--- a/internal/query/session.go
+++ b/internal/query/session.go
@@ -130,6 +130,10 @@ var (
 		name:  projection.SessionColumnUserID,
 		table: sessionsTable,
 	}
+	SessionColumnUserResourceOwner = Column{
+		name:  projection.SessionColumnUserResourceOwner,
+		table: sessionsTable,
+	}
 	SessionColumnUserCheckedAt = Column{
 		name:  projection.SessionColumnUserCheckedAt,
 		table: sessionsTable,
@@ -287,10 +291,10 @@ func prepareSessionQuery(ctx context.Context, db prepareDatabase) (sq.SelectBuil
 			SessionColumnResourceOwner.identifier(),
 			SessionColumnCreator.identifier(),
 			SessionColumnUserID.identifier(),
+			SessionColumnUserResourceOwner.identifier(),
 			SessionColumnUserCheckedAt.identifier(),
 			LoginNameNameCol.identifier(),
 			HumanDisplayNameCol.identifier(),
-			UserResourceOwnerCol.identifier(),
 			SessionColumnPasswordCheckedAt.identifier(),
 			SessionColumnIntentCheckedAt.identifier(),
 			SessionColumnWebAuthNCheckedAt.identifier(),
@@ -314,10 +318,10 @@ func prepareSessionQuery(ctx context.Context, db prepareDatabase) (sq.SelectBuil

 			var (
 				userID              sql.NullString
+				userResourceOwner   sql.NullString
 				userCheckedAt       sql.NullTime
 				loginName           sql.NullString
 				displayName         sql.NullString
-				userResourceOwner   sql.NullString
 				passwordCheckedAt   sql.NullTime
 				intentCheckedAt     sql.NullTime
 				webAuthNCheckedAt   sql.NullTime
@@ -341,10 +345,10 @@ func prepareSessionQuery(ctx context.Context, db prepareDatabase) (sq.SelectBuil
 				&session.ResourceOwner,
 				&session.Creator,
 				&userID,
+				&userResourceOwner,
 				&userCheckedAt,
 				&loginName,
 				&displayName,
-				&userResourceOwner,
 				&passwordCheckedAt,
 				&intentCheckedAt,
 				&webAuthNCheckedAt,
@@ -369,10 +373,10 @@ func prepareSessionQuery(ctx context.Context, db prepareDatabase) (sq.SelectBuil
 			}

 			session.UserFactor.UserID = userID.String
+			session.UserFactor.ResourceOwner = userResourceOwner.String
 			session.UserFactor.UserCheckedAt = userCheckedAt.Time
 			session.UserFactor.LoginName = loginName.String
 			session.UserFactor.DisplayName = displayName.String
-			session.UserFactor.ResourceOwner = userResourceOwner.String
 			session.PasswordFactor.PasswordCheckedAt = passwordCheckedAt.Time
 			session.IntentFactor.IntentCheckedAt = intentCheckedAt.Time
 			session.WebAuthNFactor.WebAuthNCheckedAt = webAuthNCheckedAt.Time
@@ -400,10 +404,10 @@ func prepareSessionsQuery(ctx context.Context, db prepareDatabase) (sq.SelectBui
 			SessionColumnResourceOwner.identifier(),
 			SessionColumnCreator.identifier(),
 			SessionColumnUserID.identifier(),
+			SessionColumnUserResourceOwner.identifier(),
 			SessionColumnUserCheckedAt.identifier(),
 			LoginNameNameCol.identifier(),
 			HumanDisplayNameCol.identifier(),
-			UserResourceOwnerCol.identifier(),
 			SessionColumnPasswordCheckedAt.identifier(),
 			SessionColumnIntentCheckedAt.identifier(),
 			SessionColumnWebAuthNCheckedAt.identifier(),
@@ -426,10 +430,10 @@ func prepareSessionsQuery(ctx context.Context, db prepareDatabase) (sq.SelectBui

 				var (
 					userID              sql.NullString
+					userResourceOwner   sql.NullString
 					userCheckedAt       sql.NullTime
 					loginName           sql.NullString
 					displayName         sql.NullString
-					userResourceOwner   sql.NullString
 					passwordCheckedAt   sql.NullTime
 					intentCheckedAt     sql.NullTime
 					webAuthNCheckedAt   sql.NullTime
@@ -450,10 +454,10 @@ func prepareSessionsQuery(ctx context.Context, db prepareDatabase) (sq.SelectBui
 					&session.ResourceOwner,
 					&session.Creator,
 					&userID,
+					&userResourceOwner,
 					&userCheckedAt,
 					&loginName,
 					&displayName,
-					&userResourceOwner,
 					&passwordCheckedAt,
 					&intentCheckedAt,
 					&webAuthNCheckedAt,
@@ -470,10 +474,10 @@ func prepareSessionsQuery(ctx context.Context, db prepareDatabase) (sq.SelectBui
 					return nil, errors.ThrowInternal(err, "QUERY-SAfeg", "Errors.Internal")
 				}
 				session.UserFactor.UserID = userID.String
+				session.UserFactor.ResourceOwner = userResourceOwner.String
 				session.UserFactor.UserCheckedAt = userCheckedAt.Time
 				session.UserFactor.LoginName = loginName.String
 				session.UserFactor.DisplayName = displayName.String
-				session.UserFactor.ResourceOwner = userResourceOwner.String
 				session.PasswordFactor.PasswordCheckedAt = passwordCheckedAt.Time
 				session.IntentFactor.IntentCheckedAt = intentCheckedAt.Time
 				session.WebAuthNFactor.WebAuthNCheckedAt = webAuthNCheckedAt.Time