fix auth pending session hardening

2026-04-21 01:45:25 +08:00
parent 1d8432b8a4
commit 7c6491c2d3
12 changed files with 490 additions and 32 deletions
--- a/backend/internal/service/auth_service_identity_sync_test.go
+++ b/backend/internal/service/auth_service_identity_sync_test.go
@@ -170,24 +170,26 @@ func TestAuthServiceRegisterDualWritesEmailIdentity(t *testing.T) {
 	require.NotNil(t, identity.VerifiedAt)
 }

-func TestAuthServiceLoginTouchesLastLoginAt(t *testing.T) {
-	svc, repo, client := newAuthServiceWithEnt(t, map[string]string{
+func TestAuthServiceLoginDefersLastLoginTouchUntilRecordSuccessfulLogin(t *testing.T) {
+	svc, _, client := newAuthServiceWithEnt(t, map[string]string{
 		service.SettingKeyRegistrationEnabled: "true",
 	}, nil)
 	ctx := context.Background()

-	user := &service.User{
-		Email:       "login@example.com",
-		Role:        service.RoleUser,
-		Status:      service.StatusActive,
-		Balance:     1,
-		Concurrency: 1,
-	}
-	require.NoError(t, user.SetPassword("password"))
-	require.NoError(t, repo.Create(ctx, user))
+	passwordHash, err := svc.HashPassword("password")
+	require.NoError(t, err)
+	user, err := client.User.Create().
+		SetEmail("login@example.com").
+		SetPasswordHash(passwordHash).
+		SetRole(service.RoleUser).
+		SetStatus(service.StatusActive).
+		SetBalance(1).
+		SetConcurrency(1).
+		Save(ctx)
+	require.NoError(t, err)

 	old := time.Now().Add(-2 * time.Hour).UTC().Round(time.Second)
-	_, err := client.User.UpdateOneID(user.ID).
+	_, err = client.User.UpdateOneID(user.ID).
 		SetLastLoginAt(old).
 		SetLastActiveAt(old).
 		Save(ctx)
@@ -202,8 +204,20 @@ func TestAuthServiceLoginTouchesLastLoginAt(t *testing.T) {
 	require.NoError(t, err)
 	require.NotNil(t, storedUser.LastLoginAt)
 	require.NotNil(t, storedUser.LastActiveAt)
-	require.True(t, storedUser.LastLoginAt.After(old))
-	require.True(t, storedUser.LastActiveAt.After(old))
+	require.True(t, storedUser.LastLoginAt.Equal(old))
+	require.True(t, storedUser.LastActiveAt.Equal(old))
+
+	identityCount, err := client.AuthIdentity.Query().
+		Where(
+			authidentity.ProviderTypeEQ("email"),
+			authidentity.ProviderKeyEQ("email"),
+			authidentity.ProviderSubjectEQ("login@example.com"),
+		).
+		Count(ctx)
+	require.NoError(t, err)
+	require.Zero(t, identityCount)
+
+	svc.RecordSuccessfulLogin(ctx, user.ID)

 	identity, err := client.AuthIdentity.Query().
 		Where(
@@ -273,6 +287,7 @@ func TestAuthServiceLogin_AppliesEmailFirstBindDefaultsOnlyWhenEmailIdentityIsNe
 	require.NoError(t, err)
 	require.NotEmpty(t, token)
 	require.NotNil(t, gotUser)
+	svc.RecordSuccessfulLogin(ctx, user.ID)

 	storedUser, err := client.User.Get(ctx, user.ID)
 	require.NoError(t, err)
@@ -343,6 +358,7 @@ func TestAuthServiceLogin_DoesNotApplyEmailFirstBindDefaultsWhenIdentityAlreadyE
 	require.NoError(t, err)
 	require.NotEmpty(t, token)
 	require.NotNil(t, gotUser)
+	svc.RecordSuccessfulLogin(ctx, user.ID)

 	storedUser, err := client.User.Get(ctx, user.ID)
 	require.NoError(t, err)
@@ -380,6 +396,7 @@ func TestAuthServiceLogin_RetriesEmailFirstBindDefaultsAfterPreviousFailure(t *t
 	require.NoError(t, err)
 	require.NotEmpty(t, token)
 	require.NotNil(t, gotUser)
+	svc.RecordSuccessfulLogin(ctx, user.ID)

 	storedUser, err := client.User.Get(ctx, user.ID)
 	require.NoError(t, err)
@@ -392,6 +409,7 @@ func TestAuthServiceLogin_RetriesEmailFirstBindDefaultsAfterPreviousFailure(t *t
 	require.NoError(t, err)
 	require.NotEmpty(t, token)
 	require.NotNil(t, gotUser)
+	svc.RecordSuccessfulLogin(ctx, user.ID)

 	storedUser, err = client.User.Get(ctx, user.ID)
 	require.NoError(t, err)