Possible bug with extend_remember_deadline functionality

[mikereczek]

Hi Jeremy,

I'm coming over from rodauth-rails (@janko) but I believe this to be a rodauth issue.

I occasionally get the following error at rodauth.load_memory in development after resetting the database and repopulating my accounts table with records (note that account id is a uuid and is different after each db reset):

PG::NotNullViolation: ERROR: null value in column "id" of relation "account_remember_keys" violates not-null constraint
DETAIL: Failing row contains (null, S-KgDWpd6CehJeFmP2LOHBJHdiZ9tnu5lBNkWiLVewM, 2023-05-07 16:00:43.032921).

Note that whenever I see the error:

• I am already logged in on the browser, with the remember cookie set, before the db reset / account repopulation
• I have the following set: extend_remember_deadline? true
• I have just refreshed the page on that same browser after the db reset / account repopulation

I believe what's happening here is that rodauth thinks there should be an account based on the session cookie and then tries to update account_remember_keys without first checking that it did indeed find an account record.

I hesitated to call this a bug (hence the discussion) since the path I took to get it is kind of obscure, but I presume the same would happen in production if a site admin deletes an account while that account is logged in, or if an end user deletes their own account while logged in on another browser.

I propose that there should be an account check before trying to extend the remember cookie, and if none is found, it should delete the remember cookie and reset the session.

Thoughts?

Thank you for your work on rodauth!

[jeremyevans]

Your approach seems reasonable to me. Something like this?:

diff --git a/lib/rodauth/features/remember.rb b/lib/rodauth/features/remember.rb
index 8e1263f..0287960 100644
--- a/lib/rodauth/features/remember.rb
+++ b/lib/rodauth/features/remember.rb
@@ -114,8 +114,12 @@ module Rodauth
     def load_memory
       if logged_in?
         if extend_remember_deadline_while_logged_in?
-          account_from_session
-          extend_remember_deadline
+          if account_from_session
+            extend_remember_deadline
+          else
+            forget_login
+            clear_session
+          end
         end
       elsif account_from_remember_cookie
         before_load_memory

[mikereczek]

Thank you - yes.

[jeremyevans]

Fixed: 5968d21