fix: QLSessionHandler behaviour changes and QLSessionHandlerTest wpunit test added (#616)

* chore: QLSessionHandlerTest added

* chore: WPCS compliance met

* fix: JWT leeway set in unit test

* fix: Docker environment salts updated

* fix: salts restored

* chore: WPCS compliance met

* chore: JWT::leeway removed from tests

* devops: Uncommented assertion in QLSessionHandlerTest

* chore: WPCS compliance met

Author: kidunot89

includes/utils/class-ql-session-handler.php

@@ -138,9 +138,9 @@ public function init_session_token() {
 				$this->set_customer_session_token( true );
 			}
 
-			// Update session if its close to expiring.
-			if ( time() > $this->_session_expiring ) {
-				$this->set_session_expiration();
+			// Update session expiration on each action.
+			$this->set_session_expiration();
+			if ( $token->exp < $this->set_session_expiration ) {
 				$this->update_session_timestamp( $this->_customer_id, $this->_session_expiration );
 			}
 		} else {
@@ -241,6 +241,10 @@ public function get_session_header() {
 	 * @return string
 	 */
 	public function build_token() {
+		if ( empty( $this->_session_issued ) ) {
+			return false;
+		}
+
 		/**
 		 * Determine the "not before" value for use in the token
 		 *
@@ -311,7 +315,7 @@ public function build_token() {
 	 * @param bool $set Should the session cookie be set.
 	 */
 	public function set_customer_session_token( $set ) {
-		if ( $set ) {
+		if ( ! empty( $this->_session_issued ) && $set ) {
 			/**
 			 * Set callback session token for use in the HTTP response header and customer/user "sessionToken" field.
 			 */
@@ -353,7 +357,7 @@ public function set_session_expiration() {
 			time() + ( 3600 * 336 )
 		);
 		// 13 Days.
-		$this->_session_expiring = $this->_session_expiration - ( 3600 * 24 );
+		$this->_session_expiring = $this->_session_expiration - ( 3600 * 60 );
 	}
 
 	/**
@@ -364,9 +368,14 @@ public function forget_session() {
 			unset( $this->_token_to_be_sent );
 		}
 		wc_empty_cart();
-		$this->_data        = array();
-		$this->_dirty       = false;
-		$this->_customer_id = $this->generate_customer_id();
+		$this->_data  = array();
+		$this->_dirty = false;
+
+		// Start new session.
+		$this->set_session_expiration();
+
+		// Get Customer ID.
+		$this->_customer_id = is_user_logged_in() ? get_current_user_id() : $this->generate_customer_id();
 	}
 
 	/**
@@ -386,6 +395,7 @@ public function save_if_dirty( $source, $args, $context, $info ) {
 		// Update if user recently authenticated.
 		if ( is_user_logged_in() && get_current_user_id() !== $this->_customer_id ) {
 			$this->_customer_id = get_current_user_id();
+			$this->_dirty       = true;
 		}
 
 		// Bail if no changes.

tests/wpunit/QLSessionHandlerTest.php

@@ -0,0 +1,150 @@
+<?php
+/**
+ * Unit test for QL_Session_Handler
+ */
+
+use Firebase\JWT\JWT;
+use WPGraphQL\WooCommerce\Utils\QL_Session_Handler;
+
+if ( ! defined( 'GRAPHQL_WOOCOMMERCE_SECRET_KEY' ) ) {
+	define( 'GRAPHQL_WOOCOMMERCE_SECRET_KEY', 'graphql-woo-cart-session' );
+}
+
+class QLSessionHandlerTest extends \Tests\WPGraphQL\WooCommerce\TestCase\WooGraphQLTestCase {
+	public function tearDown(): void {
+		unset( $_SERVER );
+
+		// after
+		parent::tearDown();
+	}
+
+	// Tests
+	public function test_initializes() {
+		// Create session handler.
+		$session = new QL_Session_Handler();
+
+		$this->assertInstanceOf( QL_Session_Handler::class, $session );
+	}
+
+	public function test_init_session_token() {
+		// Create session handler.
+		$session = new QL_Session_Handler();
+
+		// Assert session hasn't started.
+		$this->assertFalse( $session->has_session(), 'Shouldn\'t have a session yet' );
+
+		// Initialize session.
+		$session->init_session_token();
+
+		// Assert session has started.
+		$this->assertTrue( $session->has_session(), 'Should have session.' );
+
+		// Get token for future request.
+		$old_token         = $session->build_token();
+		$decoded_old_token = JWT::decode( $old_token, GRAPHQL_WOOCOMMERCE_SECRET_KEY, array( 'HS256' ) );
+
+		// Sent token to HTTP header to simulate a new request.
+		$_SERVER['HTTP_WOOCOMMERCE_SESSION'] = 'Session ' . $old_token;
+
+		// Stale for 5 seconds so timers can update.
+		usleep( 1000000 );
+
+		// Initialize session token for next request.
+		$session->init_session_token();
+		$new_token         = $session->build_token();
+		$decoded_new_token = JWT::decode( $new_token, GRAPHQL_WOOCOMMERCE_SECRET_KEY, array( 'HS256' ) );
+
+		// Assert new token is different than old token.
+		$this->assertNotEquals( $old_token, $new_token, 'New token should not match token from last request.' );
+		$this->assertGreaterThan( $decoded_old_token->exp, $decoded_new_token->exp );
+	}
+
+	public function test_get_session_token() {
+		// Create session handler.
+		$session = new QL_Session_Handler();
+
+		// Expect token to be null.
+		$null_token = $session->get_session_token();
+		$this->assertFalse( $null_token, 'No token should exist.' );
+
+		// Set token in header.
+		$session->init_session_token();
+		$_SERVER['HTTP_WOOCOMMERCE_SESSION'] = 'Session ' . $session->build_token();
+
+		// Expect token to be value.
+		$token = $session->get_session_token();
+		$this->assertObjectHasAttribute( 'iat', $token );
+		$this->assertObjectHasAttribute( 'exp', $token );
+		$this->assertObjectHasAttribute( 'data', $token );
+	}
+
+	public function test_get_session_header() {
+		// Create session handler.
+		$session = new QL_Session_Handler();
+		$session->init_session_token();
+
+		// Get the Auth header.
+		$null_header = $session->get_session_header();
+
+		$this->assertFalse( $null_header, 'No HTTP Header with session token should exist.' );
+
+		// Set token in header.
+		$_SERVER['HTTP_WOOCOMMERCE_SESSION'] = 'Session ' . $session->build_token();
+
+		$this->assertIsString( $session->get_session_header() );
+	}
+
+	public function test_build_token() {
+		// Create session handler.
+		$session = new QL_Session_Handler();
+
+		// Should be invalid if run before initialization.
+		$invalid_token = $session->build_token();
+		$this->assertFalse( $invalid_token, 'Should be an invalid session token' );
+
+		// Should valid when run after initialization.
+		$session->init_session_token();
+		$token = $session->build_token();
+
+		$decode_token = JWT::decode( $token, GRAPHQL_WOOCOMMERCE_SECRET_KEY, array( 'HS256' ) );
+		$this->assertObjectHasAttribute( 'iat', $decode_token );
+		$this->assertObjectHasAttribute( 'exp', $decode_token );
+		$this->assertObjectHasAttribute( 'data', $decode_token );
+
+		$this->assertEquals( $token, $session->build_token() );
+	}
+
+	public function test_set_customer_session_token() {
+		// Create session handler.
+		$session = new QL_Session_Handler();
+
+		// Should fail to set headers if run before initialization.
+		$session->set_customer_session_token( true );
+		$graphql_response_headers = apply_filters( 'graphql_response_headers_to_send', array() );
+		$this->assertArrayNotHasKey( 'woocommerce-session', $graphql_response_headers );
+
+		// Should success when run after initialization.
+		$session->init_session_token();
+		$graphql_response_headers = apply_filters( 'graphql_response_headers_to_send', array() );
+		$this->assertArrayHasKey( 'woocommerce-session', $graphql_response_headers );
+	}
+
+	public function test_forget_session() {
+		// Create session handler.
+		$session = new QL_Session_Handler();
+		$session->init_session_token();
+
+		// Get old token
+		$old_token = $session->build_token();
+		$this->assertIsString( $old_token );
+
+		// Forget session
+		$session->forget_session();
+
+		// Get new token.
+		$new_token = $session->build_token();
+		$this->assertIsString( $old_token );
+
+		$this->assertNotEquals( $old_token, $new_token, 'Tokens should not match' );
+	}
+}

tests/wpunit/bootstrap.php

@@ -1,7 +1,7 @@
 <?php
 
 // Turn off "QL_SESSION_HANDLER" for unit tests.
-define( 'NO_QL_SESSION_HANDLER', true );
+//define( 'NO_QL_SESSION_HANDLER', true );
 
 add_filter(
 	'graphql_request_results',