fix auth pending session hardening

2026-04-21 01:45:25 +08:00
parent 1d8432b8a4
commit 7c6491c2d3
12 changed files with 490 additions and 32 deletions
--- a/backend/internal/service/auth_oauth_email_flow.go
+++ b/backend/internal/service/auth_oauth_email_flow.go
@@ -104,7 +104,7 @@ func (s *AuthService) RegisterOAuthEmailAccount(
 		return nil, nil, ErrServiceUnavailable
 	}

-	s.postAuthUserBootstrap(ctx, user, signupSource, true)
+	s.postAuthUserBootstrap(ctx, user, signupSource, false)
 	s.assignSubscriptions(ctx, user.ID, grantPlan.Subscriptions, "auto assigned by signup defaults")

 	if invitationRedeemCode != nil {
--- a/backend/internal/service/auth_service.go
+++ b/backend/internal/service/auth_service.go
@@ -430,8 +430,6 @@ func (s *AuthService) Login(ctx context.Context, email, password string) (string
 	if !user.IsActive() {
 		return "", nil, ErrUserNotActive
 	}
-	s.backfillEmailIdentityOnSuccessfulLogin(ctx, user)
-	s.touchUserLogin(ctx, user.ID)

 	// 生成JWT token
 	token, err := s.GenerateToken(user)
@@ -507,7 +505,7 @@ func (s *AuthService) LoginOrRegisterOAuth(ctx context.Context, email, username
 				}
 			} else {
 				user = newUser
-				s.postAuthUserBootstrap(ctx, user, signupSource, true)
+				s.postAuthUserBootstrap(ctx, user, signupSource, false)
 				s.assignSubscriptions(ctx, user.ID, grantPlan.Subscriptions, "auto assigned by signup defaults")
 			}
 		} else {
@@ -527,8 +525,6 @@ func (s *AuthService) LoginOrRegisterOAuth(ctx context.Context, email, username
 			logger.LegacyPrintf("service.auth", "[Auth] Failed to update username after oauth login: %v", err)
 		}
 	}
-	s.touchUserLogin(ctx, user.ID)
-
 	token, err := s.GenerateToken(user)
 	if err != nil {
 		return "", nil, fmt.Errorf("generate token: %w", err)
@@ -634,7 +630,7 @@ func (s *AuthService) LoginOrRegisterOAuthWithTokenPair(ctx context.Context, ema
 						return nil, nil, ErrServiceUnavailable
 					}
 					user = newUser
-					s.postAuthUserBootstrap(ctx, user, signupSource, true)
+					s.postAuthUserBootstrap(ctx, user, signupSource, false)
 					s.assignSubscriptions(ctx, user.ID, grantPlan.Subscriptions, "auto assigned by signup defaults")
 				}
 			} else {
@@ -651,7 +647,7 @@ func (s *AuthService) LoginOrRegisterOAuthWithTokenPair(ctx context.Context, ema
 					}
 				} else {
 					user = newUser
-					s.postAuthUserBootstrap(ctx, user, signupSource, true)
+					s.postAuthUserBootstrap(ctx, user, signupSource, false)
 					s.assignSubscriptions(ctx, user.ID, grantPlan.Subscriptions, "auto assigned by signup defaults")
 					if invitationRedeemCode != nil {
 						if err := s.redeemRepo.Use(ctx, invitationRedeemCode.ID, user.ID); err != nil {
@@ -676,8 +672,6 @@ func (s *AuthService) LoginOrRegisterOAuthWithTokenPair(ctx context.Context, ema
 			logger.LegacyPrintf("service.auth", "[Auth] Failed to update username after oauth login: %v", err)
 		}
 	}
-	s.touchUserLogin(ctx, user.ID)
-
 	tokenPair, err := s.GenerateTokenPair(ctx, user, "")
 	if err != nil {
 		return nil, nil, fmt.Errorf("generate token pair: %w", err)
--- a/backend/internal/service/auth_service_identity_sync_test.go
+++ b/backend/internal/service/auth_service_identity_sync_test.go
@@ -170,24 +170,26 @@ func TestAuthServiceRegisterDualWritesEmailIdentity(t *testing.T) {
 	require.NotNil(t, identity.VerifiedAt)
 }

-func TestAuthServiceLoginTouchesLastLoginAt(t *testing.T) {
-	svc, repo, client := newAuthServiceWithEnt(t, map[string]string{
+func TestAuthServiceLoginDefersLastLoginTouchUntilRecordSuccessfulLogin(t *testing.T) {
+	svc, _, client := newAuthServiceWithEnt(t, map[string]string{
 		service.SettingKeyRegistrationEnabled: "true",
 	}, nil)
 	ctx := context.Background()

-	user := &service.User{
-		Email:       "login@example.com",
-		Role:        service.RoleUser,
-		Status:      service.StatusActive,
-		Balance:     1,
-		Concurrency: 1,
-	}
-	require.NoError(t, user.SetPassword("password"))
-	require.NoError(t, repo.Create(ctx, user))
+	passwordHash, err := svc.HashPassword("password")
+	require.NoError(t, err)
+	user, err := client.User.Create().
+		SetEmail("login@example.com").
+		SetPasswordHash(passwordHash).
+		SetRole(service.RoleUser).
+		SetStatus(service.StatusActive).
+		SetBalance(1).
+		SetConcurrency(1).
+		Save(ctx)
+	require.NoError(t, err)

 	old := time.Now().Add(-2 * time.Hour).UTC().Round(time.Second)
-	_, err := client.User.UpdateOneID(user.ID).
+	_, err = client.User.UpdateOneID(user.ID).
 		SetLastLoginAt(old).
 		SetLastActiveAt(old).
 		Save(ctx)
@@ -202,8 +204,20 @@ func TestAuthServiceLoginTouchesLastLoginAt(t *testing.T) {
 	require.NoError(t, err)
 	require.NotNil(t, storedUser.LastLoginAt)
 	require.NotNil(t, storedUser.LastActiveAt)
-	require.True(t, storedUser.LastLoginAt.After(old))
-	require.True(t, storedUser.LastActiveAt.After(old))
+	require.True(t, storedUser.LastLoginAt.Equal(old))
+	require.True(t, storedUser.LastActiveAt.Equal(old))
+
+	identityCount, err := client.AuthIdentity.Query().
+		Where(
+			authidentity.ProviderTypeEQ("email"),
+			authidentity.ProviderKeyEQ("email"),
+			authidentity.ProviderSubjectEQ("login@example.com"),
+		).
+		Count(ctx)
+	require.NoError(t, err)
+	require.Zero(t, identityCount)
+
+	svc.RecordSuccessfulLogin(ctx, user.ID)

 	identity, err := client.AuthIdentity.Query().
 		Where(
@@ -273,6 +287,7 @@ func TestAuthServiceLogin_AppliesEmailFirstBindDefaultsOnlyWhenEmailIdentityIsNe
 	require.NoError(t, err)
 	require.NotEmpty(t, token)
 	require.NotNil(t, gotUser)
+	svc.RecordSuccessfulLogin(ctx, user.ID)

 	storedUser, err := client.User.Get(ctx, user.ID)
 	require.NoError(t, err)
@@ -343,6 +358,7 @@ func TestAuthServiceLogin_DoesNotApplyEmailFirstBindDefaultsWhenIdentityAlreadyE
 	require.NoError(t, err)
 	require.NotEmpty(t, token)
 	require.NotNil(t, gotUser)
+	svc.RecordSuccessfulLogin(ctx, user.ID)

 	storedUser, err := client.User.Get(ctx, user.ID)
 	require.NoError(t, err)
@@ -380,6 +396,7 @@ func TestAuthServiceLogin_RetriesEmailFirstBindDefaultsAfterPreviousFailure(t *t
 	require.NoError(t, err)
 	require.NotEmpty(t, token)
 	require.NotNil(t, gotUser)
+	svc.RecordSuccessfulLogin(ctx, user.ID)

 	storedUser, err := client.User.Get(ctx, user.ID)
 	require.NoError(t, err)
@@ -392,6 +409,7 @@ func TestAuthServiceLogin_RetriesEmailFirstBindDefaultsAfterPreviousFailure(t *t
 	require.NoError(t, err)
 	require.NotEmpty(t, token)
 	require.NotNil(t, gotUser)
+	svc.RecordSuccessfulLogin(ctx, user.ID)

 	storedUser, err = client.User.Get(ctx, user.ID)
 	require.NoError(t, err)