[GitHub] [incubator-dolphinscheduler] BoYiZhang opened a new issue #3104: [BUG] Wrong deletion of token

[GitBox]

BoYiZhang opened a new issue #3104:
URL: https://github.com/apache/incubator-dolphinscheduler/issues/3104


   
   For example:
   
   The admin user sets a long-term valid token in token manage for API interface
   
   
   
   But after logging in to the web page with admin
   
   According to the following code, because there is no type distinction, the 
created token may be deleted by mistake
   
   
   `
        if (sessionList.size() > 1){
           for (int i=1 ; i < sessionList.size();i++){
             sessionMapper.deleteById(sessionList.get(i).getId());
           }
         }
   `
   
   
   
   The complete code is as follows:
   
   org.apache.dolphinscheduler.api.service.SessionService#createSession
   `
   /**
      * create session
      *
      * @param user user
      * @param ip ip
      * @return session string
      */
     @Transactional(rollbackFor = Exception.class)
     public String createSession(User user, String ip) {
       Session session = null;
   
       // logined
       List<Session> sessionList = sessionMapper.queryByUserId(user.getId());
   
       Date now = new Date();
   
       /**
        * if you have logged in and are still valid, return directly
        */
       if (CollectionUtils.isNotEmpty(sessionList)) {
         // is session list greater 1 ， delete other ，get one
         if (sessionList.size() > 1){
           for (int i=1 ; i < sessionList.size();i++){
             sessionMapper.deleteById(sessionList.get(i).getId());
           }
         }
         session = sessionList.get(0);
         if (now.getTime() - session.getLastLoginTime().getTime() <= 
Constants.SESSION_TIME_OUT * 1000) {
           /**
            * updateProcessInstance the latest login time
            */
           session.setLastLoginTime(now);
           sessionMapper.updateById(session);
   
           return session.getId();
   
         } else {
           /**
            * session expired, then delete this session first
            */
           sessionMapper.deleteById(session.getId());
         }
       }
   
       // assign new session
       session = new Session();
   
       session.setId(UUID.randomUUID().toString());
       session.setIp(ip);
       session.setUserId(user.getId());
       session.setLastLoginTime(now);
   
       sessionMapper.insert(session);
   
       return session.getId();
     }
   `
   ------------------------------------
   
   It is suggested to add a field to distinguish token management
   
   The token created by the function. And the token generated by normal login 
operation
   
   
   
   
   
   
   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org