Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

API User Authentication doesn't update lastSeenAt #3025

Closed
BurnNoticeSpy opened this issue Aug 15, 2021 · 8 comments · Fixed by #3058
Closed

API User Authentication doesn't update lastSeenAt #3025

BurnNoticeSpy opened this issue Aug 15, 2021 · 8 comments · Fixed by #3058
Milestone
1.1

Comments

@BurnNoticeSpy
Copy link

Bug Report

Current Behavior
When you use the API to fetch a session token during user authentication, it does not trigger the user online status to be correctly updated. The lastSeenAt attribute doesn't reflect this action and subsequent API calls also do not cause any effect. Effectively, you cannot correctly display when a user is online because the data will never update.

Steps to Reproduce

  1. Make an API login request to /token
  2. Fetch user data
  3. Observe lastSeenAt on user model doesn't change

Expected Behavior
User's lastSeenAt attribute should reflect the time of login and/or further API requests sent to the server.

Environment

  • Flarum version: 1.0.4
  • Webserver: apache
  • Hosting environment: vps
  • PHP version: 7.4.3
@askvortsov1
Copy link
Sponsor Member

Bug Report

Current Behavior
When you use the API to fetch a session token during user authentication, it does not trigger the user online status to be correctly updated. The lastSeenAt attribute doesn't reflect this action and subsequent API calls also do not cause any effect. Effectively, you cannot correctly display when a user is online because the data will never update.

Steps to Reproduce

  1. Make an API login request to /token
  2. Fetch user data
  3. Observe lastSeenAt on user model doesn't change

Expected Behavior
User's lastSeenAt attribute should reflect the time of login and/or further API requests sent to the server.

Environment

  • Flarum version: 1.0.4
  • Webserver: apache
  • Hosting environment: vps
  • PHP version: 7.4.3

Hmm, I'm not sure that obtaining a token should count as a "seen at" operation. Using the token, on the other hand, should already result in last_seen_at being adjusted: https://github.com/flarum/core/blob/d82c093c0ff0984f70cfa52a2ea19cbdb5baa6ea/src/Http/Middleware/AuthenticateWithSession.php#L41-L41

@BurnNoticeSpy
Copy link
Author

Well i can agree on obtaining a auth token specifically, but immediately following the /token request a new request to get the user data is sent off (with the auth token included) and that's basically saying "I'm requesting the data for my account, because I've just signed in"? Which presumably should update the lastSeenAt, but after testing multiple times lastSeenAt doesn't change from null. Even when navigating discussions and posting comments......but the moment i use the original Flarum client and it does it's 'hard refresh' after signing in, bam the lastSeenAt updates correctly on my client!

So i don't know if it's something I'm doing specifically or what?

@askvortsov1
Copy link
Sponsor Member

but immediately following the /token request a new request to get the user data is sent off

Which endpoint are you hitting for this?

@BurnNoticeSpy
Copy link
Author

but immediately following the /token request a new request to get the user data is sent off

Which endpoint are you hitting for this?

/api/users/1

app.store.find('users', userId);

@askvortsov1
Copy link
Sponsor Member

/api/users/1

Are you authenticating with the token in question? What do your request headers look like?

@BurnNoticeSpy
Copy link
Author

BurnNoticeSpy commented Aug 26, 2021
edited
Loading

/api/users/1

Are you authenticating with the token in question? What do your request headers look like?

Yes.

GET /api/users/1 HTTP/1.1.
Host: [removed]
Connection: keep-alive
Accept: application/json, text/*
Authorization: Token Iq6uBuT7z9GKfUkH2cN8M9EV20utd0sI94tWAhRK; userId=1
User-Agent: [removed]
Referer: [removed]
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8

I compared this to Flarum's /login endpoint and the difference is I'm not sending a X-CSRF-Token or Cookie. The request is successful however and so the server should have validated my session given that outcome.

@askvortsov1
Copy link
Sponsor Member

Ah, I see. We have the logic to updateLastSeen in the AuthenticateWithSession middleware but not AuthenticateWithHeader. That would probably make sense to include in https://github.com/flarum/core/blob/d82c093c0ff0984f70cfa52a2ea19cbdb5baa6ea/src/Http/Middleware/AuthenticateWithHeader.php#L50-L50.

askvortsov1 added a commit that referenced this issue Aug 27, 2021
@askvortsov1
Update lastSeenAt when authenticating via API
2bc6318 
Fixes #3025, title says it all.
@askvortsov1 askvortsov1 mentioned this issue Aug 27, 2021
Merged
@BurnNoticeSpy
Copy link
Author

👍 🎉 Good job @askvortsov1 ! Appreciate the swift resolution too :)

@askvortsov1 askvortsov1 added this to the 1.1 milestone Aug 27, 2021
askvortsov1 added a commit that referenced this issue Aug 27, 2021
@askvortsov1
Update lastSeenAt when authenticating via API (#3058)
da94488 
Fixes #3025, title says it all.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
1.1
Development

Successfully merging a pull request may close this issue.

Update lastSeenAt when authenticating via token flarum/framework
2 participants
@askvortsov1 @BurnNoticeSpy