Fix session expire error when opening settings

ref DEV-2501

Author: louischan-oursky

.vettedpositions

@@ -40,10 +40,10 @@
 /pkg/auth/handler/webapp/auth_entry_point_middleware.go:31:31: requestcontext
 /pkg/auth/handler/webapp/auth_entry_point_middleware.go:32:35: requestcontext
 /pkg/auth/handler/webapp/authflow_change_password.go:96:26: requestcontext
-/pkg/auth/handler/webapp/authflow_controller.go:989:30: requestcontext
-/pkg/auth/handler/webapp/authflow_controller.go:994:24: requestcontext
-/pkg/auth/handler/webapp/authflow_controller.go:1002:19: requestcontext
-/pkg/auth/handler/webapp/authflow_controller.go:1011:19: requestcontext
+/pkg/auth/handler/webapp/authflow_controller.go:990:30: requestcontext
+/pkg/auth/handler/webapp/authflow_controller.go:995:24: requestcontext
+/pkg/auth/handler/webapp/authflow_controller.go:1003:19: requestcontext
+/pkg/auth/handler/webapp/authflow_controller.go:1012:19: requestcontext
 /pkg/auth/handler/webapp/authflow_create_password.go:132:26: requestcontext
 /pkg/auth/handler/webapp/authflow_enter_oob_otp.go:156:26: requestcontext
 /pkg/auth/handler/webapp/authflow_enter_password.go:138:26: requestcontext

pkg/auth/handler/webapp/alternatives.go

@@ -28,7 +28,7 @@ type CreateAuthenticatorPhoneOTPNode interface {
 // nolint: gocognit
 func handleAlternativeSteps(ctrl *Controller) {
 	ctrl.PostAction("choose_step", func(ctx context.Context) (err error) {
-		session, err := ctrl.GetWebappSession(ctx)
+		session, err := ctrl.InteractionSession(ctx)
 		if err != nil {
 			return err
 		}

pkg/auth/handler/webapp/authflow_controller.go

@@ -202,7 +202,7 @@ func (c *AuthflowController) HandleStartOfFlow(
 	handleWithScreen(screen)
 }
 
-func (c *AuthflowController) isExpectedWebSessionError(err error) bool {
+func (c *AuthflowController) isWebSessionNotFoundOrCompletedError(err error) bool {
 	return apierrors.IsKind(err, webapp.WebUIInvalidSession) || apierrors.IsKind(err, webapp.WebUISessionCompleted)
 }
 
@@ -211,7 +211,7 @@ func (c *AuthflowController) HandleOAuthCallback(ctx context.Context, w http.Res
 
 	s, err := c.Sessions.Get(ctx, state.WebSessionID)
 	if err != nil {
-		if !c.isExpectedWebSessionError(err) {
+		if !c.isWebSessionNotFoundOrCompletedError(err) {
 			c.Logger.WithError(err).Errorf("failed to get web session")
 		}
 		c.renderError(ctx, w, r, err)
@@ -313,7 +313,7 @@ func (c *AuthflowController) HandleStep(ctx context.Context, w http.ResponseWrit
 
 	s, err := c.getWebSession(ctx)
 	if err != nil {
-		if !c.isExpectedWebSessionError(err) {
+		if !c.isWebSessionNotFoundOrCompletedError(err) {
 			c.Logger.WithError(err).Errorf("failed to get web session")
 		}
 		c.renderError(ctx, w, r, err)
@@ -345,7 +345,7 @@ func (c *AuthflowController) HandleWithoutFlow(ctx context.Context, w http.Respo
 	var session *webapp.Session
 	s, err := c.getWebSession(ctx)
 	if err != nil {
-		if !c.isExpectedWebSessionError(err) {
+		if !c.isWebSessionNotFoundOrCompletedError(err) {
 			c.Logger.WithError(err).Errorf("failed to get web session")
 		}
 	} else {
@@ -384,7 +384,8 @@ func (c *AuthflowController) getOrCreateWebSession(ctx context.Context, w http.R
 	if err == nil && s != nil {
 		return s, nil
 	}
-	if !errors.Is(err, webapp.ErrSessionNotFound) {
+
+	if !c.isWebSessionNotFoundOrCompletedError(err) {
 		return nil, err
 	}
 

pkg/auth/handler/webapp/authflowv2/select_account.go

@@ -123,7 +123,7 @@ func (h *AuthflowV2SelectAccountHandler) ServeHTTP(w http.ResponseWriter, r *htt
 	ctrl.BeforeHandle(func(ctx context.Context) error {
 
 		// Ensure webapp session exist
-		ws, err := ctrl.GetWebappSession(ctx)
+		ws, err := ctrl.InteractionSession(ctx)
 		if err != nil {
 			return err
 		}

pkg/auth/handler/webapp/confirm_terminate_other_sessions.go

@@ -66,7 +66,7 @@ func (h *ConfirmTerminateOtherSessionsHandler) ServeHTTP(w http.ResponseWriter,
 	defer ctrl.ServeWithDBTx(r.Context())
 
 	ctrl.Get(func(ctx context.Context) error {
-		session, err := ctrl.GetWebappSession(ctx)
+		session, err := ctrl.InteractionSession(ctx)
 		if err != nil {
 			return err
 		}
@@ -91,7 +91,7 @@ func (h *ConfirmTerminateOtherSessionsHandler) ServeHTTP(w http.ResponseWriter,
 			return err
 		}
 
-		session, err := ctrl.GetWebappSession(ctx)
+		session, err := ctrl.InteractionSession(ctx)
 		if err != nil {
 			return err
 		}

pkg/auth/handler/webapp/controller.go

@@ -2,7 +2,6 @@ package webapp
 
 import (
 	"context"
-	"errors"
 	"fmt"
 	"net/http"
 
@@ -315,19 +314,16 @@ func (c *Controller) rewindSessionHistory(session *webapp.Session) error {
 	return nil
 }
 
-func (c *Controller) GetWebappSession(ctx context.Context) (*webapp.Session, error) {
+func (c *Controller) InteractionSession(ctx context.Context) (*webapp.Session, error) {
 	s := webapp.GetSession(ctx)
-	if s == nil {
+	if s == nil || s.IsCompleted {
 		return nil, webapp.ErrSessionNotFound
 	}
-	if s.IsCompleted {
-		return nil, webapp.ErrSessionCompleted
-	}
 	return s, nil
 }
 
 func (c *Controller) InteractionGet(ctx context.Context) (*interaction.Graph, error) {
-	s, err := c.GetWebappSession(ctx)
+	s, err := c.InteractionSession(ctx)
 	if err != nil {
 		return nil, err
 	}
@@ -348,7 +344,7 @@ func (c *Controller) InteractionGetWithSession(ctx context.Context, s *webapp.Se
 }
 
 func (c *Controller) InteractionPost(ctx context.Context, inputFn func() (interface{}, error)) (*webapp.Result, error) {
-	s, err := c.GetWebappSession(ctx)
+	s, err := c.InteractionSession(ctx)
 	if err != nil {
 		return nil, err
 	}
@@ -381,13 +377,9 @@ func (c *Controller) InteractionOAuthCallback(ctx context.Context, oauthInput In
 }
 
 func (c *Controller) getSettingsActionWebSession(ctx context.Context, r *http.Request) (*webapp.Session, error) {
-	webappSession, err := c.GetWebappSession(ctx)
-	if err != nil {
-		// No session means it is not in settings action
-		if errors.Is(err, webapp.ErrSessionNotFound) {
-			return nil, nil
-		}
-		return nil, err
+	webappSession := webapp.GetSession(ctx)
+	if webappSession == nil {
+		return nil, nil
 	}
 	if webappSession.SettingsActionID == "" {
 		// This session is not for a settings action, ignore it
@@ -401,6 +393,9 @@ func (c *Controller) getSettingsActionWebSession(ctx context.Context, r *http.Re
 		// This session is not for the current settings action, ignore it
 		return nil, nil
 	}
+	if webappSession.IsCompleted {
+		return nil, webapp.ErrSessionCompleted
+	}
 	return webappSession, nil
 }
 

pkg/auth/handler/webapp/create_passkey.go

@@ -53,7 +53,7 @@ func (h *CreatePasskeyHandler) ServeHTTP(w http.ResponseWriter, r *http.Request)
 	defer ctrl.ServeWithDBTx(r.Context())
 
 	ctrl.Get(func(ctx context.Context) error {
-		session, err := ctrl.GetWebappSession(ctx)
+		session, err := ctrl.InteractionSession(ctx)
 		if err != nil {
 			return err
 		}

pkg/auth/handler/webapp/create_password.go

@@ -107,7 +107,7 @@ func (h *CreatePasswordHandler) ServeHTTP(w http.ResponseWriter, r *http.Request
 	defer ctrl.ServeWithDBTx(r.Context())
 
 	ctrl.Get(func(ctx context.Context) error {
-		session, err := ctrl.GetWebappSession(ctx)
+		session, err := ctrl.InteractionSession(ctx)
 		if err != nil {
 			return err
 		}

pkg/auth/handler/webapp/enter_oob_otp.go

@@ -161,7 +161,7 @@ func (h *EnterOOBOTPHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	defer ctrl.ServeWithDBTx(r.Context())
 
 	ctrl.Get(func(ctx context.Context) error {
-		session, err := ctrl.GetWebappSession(ctx)
+		session, err := ctrl.InteractionSession(ctx)
 		if err != nil {
 			return err
 		}

pkg/auth/handler/webapp/enter_password.go

@@ -118,7 +118,7 @@ func (h *EnterPasswordHandler) ServeHTTP(w http.ResponseWriter, r *http.Request)
 	defer ctrl.ServeWithDBTx(r.Context())
 
 	ctrl.Get(func(ctx context.Context) error {
-		session, err := ctrl.GetWebappSession(ctx)
+		session, err := ctrl.InteractionSession(ctx)
 		if err != nil {
 			return err
 		}