chore: Refactor the my/Sessions controller

marienfressinaud · marienfressinaud · commit 0f759bf44f75 · 2025-11-14T15:28:22.000+01:00
diff --git a/src/auth/Access.php b/src/auth/Access.php
@@ -37,6 +37,8 @@ public static function can(?models\User $user, string $action, object $subject):
             $access_class = NotesAccess::class;
         } elseif ($subject instanceof models\Importation) {
             $access_class = ImportationsAccess::class;
+        } elseif ($subject instanceof models\Session) {
+            $access_class = SessionsAccess::class;
         } else {
             throw new \InvalidArgumentException("{$subject_class} subject is not supported");
         }
diff --git a/src/auth/SessionsAccess.php b/src/auth/SessionsAccess.php
@@ -0,0 +1,20 @@
+<?php
+
+namespace App\auth;
+
+use App\models;
+
+/**
+ * @author  Marien Fressinaud <dev@marienfressinaud.fr>
+ * @license http://www.gnu.org/licenses/agpl-3.0.en.html AGPL
+ */
+class SessionsAccess
+{
+    public static function canDelete(?models\User $user, models\Session $session): bool
+    {
+        return (
+            $user &&
+            $user->id === $session->user_id
+        );
+    }
+}
diff --git a/src/controllers/my/Sessions.php b/src/controllers/my/Sessions.php
@@ -2,11 +2,12 @@
 
 namespace App\controllers\my;
 
-use Minz\Request;
-use Minz\Response;
 use App\auth;
 use App\controllers\BaseController;
+use App\forms;
 use App\models;
+use Minz\Request;
+use Minz\Response;
 
 /**
  * @author  Marien Fressinaud <dev@marienfressinaud.fr>
@@ -17,27 +18,23 @@ class Sessions extends BaseController
     /**
      * List the sessions of the current user
      *
-     * @response 302 /login?redirect_to=/my/sessions
-     *     If the user is not connected.
-     * @response 302 /my/security/confirmation?from=/my/sessions
-     *     If the password is not confirmed.
      * @response 200
      *     On success.
+     *
+     * @throws auth\MissingCurrentUserError
+     *     If the user is not connected.
+     * @throws auth\PasswordNotConfirmedError
+     *     If the password is not confirmed.
      */
     public function index(Request $request): Response
     {
-        $user = $this->requireCurrentUser(redirect_after_login: \Minz\Url::for('sessions'));
+        $user = auth\CurrentUser::require();
 
-        $session = auth\CurrentUser::session();
+        auth\CurrentUser::requireConfirmedPassword();
 
+        $session = auth\CurrentUser::session();
         assert($session !== null);
 
-        if (!$session->isPasswordConfirmed()) {
-            return Response::redirect('password confirmation', [
-                'from' => \Minz\Url::for('sessions'),
-            ]);
-        }
-
         $sessions = models\Session::listBy([
             'user_id' => $user->id,
         ], 'created_at DESC');
@@ -53,53 +50,50 @@ public function index(Request $request): Response
      *
      * @request_param string id
      *
-     * @response 302 /login?redirect_to=/my/sessions
-     *     If the user is not connected.
-     * @response 302 /my/security/confirmation?from=/my/sessions
-     *     If the password is not confirmed.
-     * @response 404
-     *     If the session doesn't exist.
      * @response 302 /my/sessions
+     * @flash error
      *     If the CSRF token is invalid.
      * @response 302 /my/sessions
      *     On success.
+     *
+     * @throws auth\MissingCurrentUserError
+     *     If the user is not connected.
+     * @throws auth\PasswordNotConfirmedError
+     *     If the password is not confirmed.
+     * @throws \Minz\Errors\MissingRecordError
+     *     If the session doesn't exist.
+     * @throws auth\AccessDeniedError
+     *     If the user cannot delete the session.
      */
     public function delete(Request $request): Response
     {
-        $user = $this->requireCurrentUser(redirect_after_login: \Minz\Url::for('sessions'));
-
-        $current_session = auth\CurrentUser::session();
+        $user = auth\CurrentUser::require();
 
-        assert($current_session !== null);
+        auth\CurrentUser::requireConfirmedPassword();
 
-        if (!$current_session->isPasswordConfirmed()) {
-            return Response::redirect('password confirmation', [
-                'from' => \Minz\Url::for('sessions'),
-            ]);
-        }
+        $session = models\Session::requireFromRequest($request);
 
-        $session_id = $request->parameters->getString('id', '');
-        $csrf = $request->parameters->getString('csrf', '');
+        auth\Access::require($user, 'delete', $session);
 
-        $session = models\Session::findBy([
-            'id' => $session_id,
-            'user_id' => $user->id,
-        ]);
+        $form = new forms\security\DeleteSession();
+        $form->handleRequest($request);
 
-        if (!$session) {
-            return Response::notFound('not_found.phtml');
+        if (!$form->validate()) {
+            \Minz\Flash::set('error', $form->error('@base'));
+            return Response::redirect('sessions');
         }
 
         $response = Response::redirect('sessions');
 
-        if (\App\Csrf::validate($csrf)) {
-            if ($session->id === $current_session->id) {
-                auth\CurrentUser::deleteSession();
-                $response->removeCookie('session_token');
-                $response->removeCookie('flusio_session_token');
-            } else {
-                $session->remove();
-            }
+        $current_session = auth\CurrentUser::session();
+        assert($current_session !== null);
+
+        if ($session->id === $current_session->id) {
+            auth\CurrentUser::deleteSession();
+            $response->removeCookie('session_token');
+            $response->removeCookie('flusio_session_token');
+        } else {
+            $session->remove();
         }
 
         return $response;
diff --git a/src/forms/security/DeleteSession.php b/src/forms/security/DeleteSession.php
@@ -0,0 +1,13 @@
+<?php
+
+namespace App\forms\security;
+
+use App\forms\BaseForm;
+
+/**
+ * @author  Marien Fressinaud <dev@marienfressinaud.fr>
+ * @license http://www.gnu.org/licenses/agpl-3.0.en.html AGPL
+ */
+class DeleteSession extends BaseForm
+{
+}
diff --git a/src/models/Session.php b/src/models/Session.php
@@ -18,6 +18,7 @@ class Session
 {
     use dao\Session;
     use Database\Recordable;
+    use Database\Resource;
 
     public const SCOPES = ['browser', 'api'];
 
diff --git a/src/views/my/sessions/index.phtml b/src/views/my/sessions/index.phtml
@@ -48,13 +48,13 @@
 
                     <?php if ($session->id !== $current_session->id): ?>
                         <form method="post" action="<?= url('delete session', ['id' => $session->id]) ?>">
-                            <input type="hidden" name="csrf" value="<?= csrf_token() ?>" />
-
                             <small>
                                 <button class="button--smaller" type="submit">
                                     <?= _('disconnect') ?>
                                 </button>
                             </small>
+
+                            <input type="hidden" name="csrf_token" value="<?= csrf_token('security\\DeleteSession') ?>" />
                         </form>
                     <?php endif; ?>
                 </div>
diff --git a/tests/controllers/my/SessionsTest.php b/tests/controllers/my/SessionsTest.php
@@ -3,13 +3,15 @@
 namespace App\controllers\my;
 
 use App\auth;
+use App\forms;
 use App\models;
 use tests\factories\SessionFactory;
 use tests\factories\UserFactory;
 
 class SessionsTest extends \PHPUnit\Framework\TestCase
 {
     use \Minz\Tests\ApplicationHelper;
+    use \Minz\Tests\CsrfHelper;
     use \Minz\Tests\InitializerHelper;
     use \Minz\Tests\ResponseAsserts;
     use \Minz\Tests\TimeHelper;
@@ -45,7 +47,7 @@ public function testIndexRedirectsIfPasswordIsNotConfirmed(): void
 
         $response = $this->appRun('GET', '/my/sessions');
 
-        $this->assertResponseCode($response, 302, '/my/security/confirmation?from=%2Fmy%2Fsessions');
+        $this->assertResponseCode($response, 302, '/my/security/confirmation?redirect_to=%2Fmy%2Fsessions');
     }
 
     public function testIndexRedirectsIfUserIsNotConnected(): void
@@ -69,7 +71,7 @@ public function testDeleteRemovesTheSessionAndRedirects(): void
         ]);
 
         $response = $this->appRun('POST', "/my/sessions/{$session->id}/deletion", [
-            'csrf' => \App\Csrf::generate(),
+            'csrf_token' => $this->csrfToken(forms\security\DeleteSession::class),
         ]);
 
         $this->assertResponseCode($response, 302, '/my/sessions');
@@ -90,7 +92,7 @@ public function testDeleteLogsOutIfGivenSessionIsCurrentSession(): void
         $this->assertNotNull($session);
 
         $response = $this->appRun('POST', "/my/sessions/{$session->id}/deletion", [
-            'csrf' => \App\Csrf::generate(),
+            'csrf_token' => $this->csrfToken(forms\security\DeleteSession::class),
         ]);
 
         $this->assertResponseCode($response, 302, '/my/sessions');
@@ -116,7 +118,7 @@ public function testDeleteDoesNotRemoveSessionIfCsrfIsInvalid(): void
         ]);
 
         $response = $this->appRun('POST', "/my/sessions/{$session->id}/deletion", [
-            'csrf' => 'not the token',
+            'csrf_token' => 'not the token',
         ]);
 
         $this->assertResponseCode($response, 302, '/my/sessions');
@@ -131,10 +133,10 @@ public function testDeleteRedirectsIfUserIsNotConnected(): void
         ]);
 
         $response = $this->appRun('POST', "/my/sessions/{$session->id}/deletion", [
-            'csrf' => \App\Csrf::generate(),
+            'csrf_token' => $this->csrfToken(forms\security\DeleteSession::class),
         ]);
 
-        $this->assertResponseCode($response, 302, '/login?redirect_to=%2Fmy%2Fsessions');
+        $this->assertResponseCode($response, 302, '/login?redirect_to=%2F');
         $this->assertTrue(models\Session::exists($session->id));
     }
 
@@ -152,10 +154,10 @@ public function testDeleteRedirectsIfPasswordIsNotConfirmed(): void
         ]);
 
         $response = $this->appRun('POST', "/my/sessions/{$session->id}/deletion", [
-            'csrf' => \App\Csrf::generate(),
+            'csrf_token' => $this->csrfToken(forms\security\DeleteSession::class),
         ]);
 
-        $this->assertResponseCode($response, 302, '/my/security/confirmation?from=%2Fmy%2Fsessions');
+        $this->assertResponseCode($response, 302, '/my/security/confirmation?redirect_to=%2F');
         $this->assertTrue(models\Session::exists($session->id));
     }
 
@@ -173,7 +175,7 @@ public function testDeleteFailsIfSessionDoesNotExist(): void
         ]);
 
         $response = $this->appRun('POST', "/my/sessions/not-an-id/deletion", [
-            'csrf' => \App\Csrf::generate(),
+            'csrf_token' => $this->csrfToken(forms\security\DeleteSession::class),
         ]);
 
         $this->assertResponseCode($response, 404);

Original file line number	Diff line number	Diff line change
`@@ -37,6 +37,8 @@ public static function can(?models\User $user, string $action, object $subject):`
`37`	`37`	`$access_class = NotesAccess::class;`
`38`	`38`	`} elseif ($subject instanceof models\Importation) {`
`39`	`39`	`$access_class = ImportationsAccess::class;`
	`40`	`+ } elseif ($subject instanceof models\Session) {`
	`41`	`+ $access_class = SessionsAccess::class;`
`40`	`42`	`} else {`
`41`	`43`	`throw new \InvalidArgumentException("{$subject_class} subject is not supported");`
`42`	`44`	`}`
Original file line number	Diff line number	Diff line change
`@@ -18,6 +18,7 @@ class Session`
`18`	`18`	`{`
`19`	`19`	`use dao\Session;`
`20`	`20`	`use Database\Recordable;`
	`21`	`+ use Database\Resource;`
`21`	`22`
`22`	`23`	`public const SCOPES = ['browser', 'api'];`
`23`	`24`