session: update un-set MacaroonRecipe field in kvdb

ViktorT-11 · ViktorT-11 · commit 6b8c58f9c916 · 2025-06-03T02:08:10.000+02:00
The KVDB implementation could previously create sessions with a non‐nil
`MacaroonRecipe` whose `Permissions` and `Caveats` fields were both nil.
However, the SQL session store cannot represent a `MacaroonRecipe` if
both `Permissions` and `Caveats` are missing—because in SQL they are
stored in separate tables, and without any entries in those tables we
can't represent a `MacaroonRecipe` record at all.

This commit therefore changes the implementation for the KVDB session
store, so that such sessions will have a nil value set for the
`MacaroonRecipe` field, if no `Permissions` and `Caveats` are set.

Additionally, when a session has a `MacaroonRecipe` set but one of the
`Permissions` or `Caveats` fields is unset, the KVDB session store would
represent that field as `nil`, whereas the SQL store would represent it
as an empty array.

Therefore, we update the KVDB session store implementation so that in
this scenario, those fields are also set to an empty array instead of
`nil`, matching the SQL store’s behavior.

This change is important because the KVDB→SQL migration code expects
sessions in both stores to be equivalent. Without it, comparing sessions
would fail, since the `MacaroonRecipe` field would be represented
differently in each store.
diff --git a/session/tlv.go b/session/tlv.go
@@ -283,11 +283,23 @@ func DeserializeSession(r io.Reader) (*Session, error) {
 	// any) is linked implicitly via the macaroon recipe caveat. So we
 	// need to extract it from there.
 	if session.MacaroonRecipe != nil {
-		session.AccountID, err = accounts.IDFromCaveats(
-			session.MacaroonRecipe.Caveats,
-		)
-		if err != nil {
-			return nil, err
+		caveats := session.MacaroonRecipe.Caveats
+		perms := session.MacaroonRecipe.Permissions
+
+		// If there are no caveats or permissions, we set the
+		// MacaroonRecipe to nil. This ensures that different store
+		// implementations exhibit consistent behavior in this scenario.
+		if len(caveats) == 0 && len(perms) == 0 {
+			session.MacaroonRecipe = nil
+		} else {
+			// If there are caveats, we attempt to extract the
+			// AccountID if one exists.
+			session.AccountID, err = accounts.IDFromCaveats(
+				session.MacaroonRecipe.Caveats,
+			)
+			if err != nil {
+				return nil, err
+			}
 		}
 	}
 
@@ -472,6 +484,16 @@ func macaroonRecipeDecoder(r io.Reader, val interface{}, buf *[8]byte,
 			return err
 		}
 
+		// If either the permissions or caveats are nil, initialize them
+		// to empty slices. This ensures that different store
+		// implementations exhibit consistent behavior in this scenario.
+		if perms == nil {
+			perms = make([]bakery.Op, 0)
+		}
+		if caveats == nil {
+			caveats = make([]macaroon.Caveat, 0)
+		}
+
 		*v = MacaroonRecipe{
 			Permissions: perms,
 			Caveats:     caveats,
