From bff621b95204821bbedbf6ef61dea2b4bb3d298c Mon Sep 17 00:00:00 2001
From: Ben Brooks <ben.brooks@couchbase.com>
Date: Fri, 15 Nov 2024 10:23:27 +0000
Subject: [PATCH] Cover user.UpdateSessionUUID with a unit test to ensure it
 makes previously created sessions unusable

---
 auth/session_test.go | 37 +++++++++++++++++++++++++++++++++++++
 1 file changed, 37 insertions(+)

diff --git a/auth/session_test.go b/auth/session_test.go
index cbb575b571..75a1547bac 100644
--- a/auth/session_test.go
+++ b/auth/session_test.go
@@ -312,3 +312,40 @@ func TestUserWithoutSessionUUID(t *testing.T) {
 	require.NoError(t, err)
 
 }
+
+// TestUserDeleteAllSessions changes the session UUID on a user such that existing sessions should not be usable.
+func TestUserDeleteAllSessions(t *testing.T) {
+	ctx := base.TestCtx(t)
+	testBucket := base.GetTestBucket(t)
+	defer testBucket.Close(ctx)
+	dataStore := testBucket.GetSingleDataStore()
+	auth := NewTestAuthenticator(t, dataStore, nil, DefaultAuthenticatorOptions(ctx))
+	const username = "Alice"
+	user, err := auth.NewUser(username, "password", base.Set{})
+	require.NoError(t, err)
+	require.NotNil(t, user)
+	require.NoError(t, auth.Save(user))
+
+	// Create session with a username and valid TTL of 2 hours.
+	session, err := auth.CreateSession(ctx, user, 2*time.Hour)
+	require.NoError(t, err)
+
+	session, err = auth.GetSession(session.ID)
+	require.NoError(t, err)
+
+	request, err := http.NewRequest(http.MethodGet, "", nil)
+	require.NoError(t, err)
+	request.AddCookie(auth.MakeSessionCookie(session, true, true))
+	recorder := httptest.NewRecorder()
+
+	_, err = auth.AuthenticateCookie(request, recorder)
+	require.NoError(t, err)
+
+	// h.deleteUserSessions() equivalent
+	user.UpdateSessionUUID()
+	err = auth.Save(user)
+	require.NoError(t, err)
+
+	_, err = auth.AuthenticateCookie(request, recorder)
+	require.EqualError(t, err, "401 Session no longer valid for user")
+}