Invalidate old session after login #9253

(cherry picked from commit 0189975)

modules/lib/lib-auth/src/main/java/com/enonic/xp/lib/auth/LoginHandler.java

@@ -9,6 +9,7 @@
 
 import com.enonic.xp.context.Context;
 import com.enonic.xp.context.ContextBuilder;
+import com.enonic.xp.context.LocalScope;
 import com.enonic.xp.portal.PortalRequest;
 import com.enonic.xp.script.bean.BeanContext;
 import com.enonic.xp.script.bean.ScriptBean;
@@ -30,11 +31,6 @@
 public final class LoginHandler
     implements ScriptBean
 {
-    private enum Scope
-    {
-        SESSION, REQUEST
-    }
-
     private String user;
 
     private String password;
@@ -91,6 +87,9 @@ public LoginResultMapper login()
         {
             switch ( this.scope )
             {
+                case NONE:
+                    // do nothing
+                    break;
                 case REQUEST:
                     this.context.get().getLocalScope().setAttribute( authInfo );
                     break;
@@ -110,15 +109,26 @@ public LoginResultMapper login()
 
     private void createSession( final AuthenticationInfo authInfo )
     {
-        final Session session = this.context.get().getLocalScope().getSession();
+        final LocalScope localScope = this.context.get().getLocalScope();
+        final Session session = localScope.getSession();
+
         if ( session != null )
         {
-            session.setAttribute( authInfo );
-        }
+            final var attributes = session.getAttributes();
+            session.invalidate();
 
-        if ( this.sessionTimeout != null )
-        {
-            setSessionTimeout();
+            final Session newSession = localScope.getSession();
+
+            if ( newSession != null )
+            {
+                attributes.forEach( newSession::setAttribute );
+                session.setAttribute( authInfo );
+
+                if ( this.sessionTimeout != null )
+                {
+                    setSessionTimeout();
+                }
+            }
         }
     }
 
@@ -146,9 +156,8 @@ private AuthenticationInfo attemptLoginWithAllExistingIdProviders()
     private IdProviders getSortedIdProviders()
     {
         IdProviders idProviders = securityService.get().getIdProviders();
-        return IdProviders.from( idProviders.stream().
-            sorted( Comparator.comparing( u -> u.getKey().toString() ) ).
-            collect( Collectors.toList() ) );
+        return IdProviders.from(
+            idProviders.stream().sorted( Comparator.comparing( u -> u.getKey().toString() ) ).collect( Collectors.toList() ) );
     }
 
     private AuthenticationInfo attemptLogin()
@@ -218,11 +227,12 @@ private AuthenticationInfo authenticate( IdProviderKey idProvider )
     private <T> T runAsAuthenticated( Callable<T> runnable )
     {
         final AuthenticationInfo authInfo = AuthenticationInfo.create().principals( RoleKeys.AUTHENTICATED ).user( User.ANONYMOUS ).build();
-        return ContextBuilder.from( this.context.get() ).
-            authInfo( authInfo ).
-            repositoryId( SystemConstants.SYSTEM_REPO_ID ).
-            branch( SecurityConstants.BRANCH_SECURITY ).build().
-            callWith( runnable );
+        return ContextBuilder.from( this.context.get() )
+            .authInfo( authInfo )
+            .repositoryId( SystemConstants.SYSTEM_REPO_ID )
+            .branch( SecurityConstants.BRANCH_SECURITY )
+            .build()
+            .callWith( runnable );
     }
 
     private boolean isValidEmail( final String value )
@@ -250,4 +260,9 @@ public void initialize( final BeanContext context )
         this.context = context.getBinding( Context.class );
         this.portalRequestSupplier = context.getBinding( PortalRequest.class );
     }
+
+    private enum Scope
+    {
+        SESSION, REQUEST, NONE
+    }
 }

modules/lib/lib-auth/src/test/java/com/enonic/xp/lib/auth/LoginHandlerTest.java

@@ -23,6 +23,8 @@
 
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertNull;
+import static org.mockito.Mockito.times;
+import static org.mockito.Mockito.verify;
 
 public class LoginHandlerTest
     extends ScriptTestSupport
@@ -171,6 +173,25 @@ public void testLoginMultipleIdProvidersInOrder()
         assertEquals( "idprovider3", matcher.loginIdProviderAttempts.get( 2 ).toString() );
     }
 
+    @Test
+    public void testSessionInvalidatedOnLogin()
+    {
+        final AuthenticationInfo authInfo = TestDataFixtures.createAuthenticationInfo();
+
+        final IdProviders idProviders =
+            IdProviders.from( IdProvider.create().displayName( "system" ).key( IdProviderKey.from( "system" ) ).build() );
+
+        Mockito.when( this.securityService.authenticate( Mockito.any() ) ).thenReturn( authInfo );
+        Mockito.when( this.securityService.getIdProviders() ).thenReturn( idProviders );
+
+        final SessionMock session = Mockito.spy( new SessionMock() );
+        ContextAccessor.current().getLocalScope().setSession( session );
+
+        runScript( "/lib/xp/examples/auth/login.js" );
+
+        verify( session, times( 5 ) ).invalidate();
+    }
+
     private static class AuthTokenMatcher
         implements ArgumentMatcher<AuthenticationToken>
     {