[Fix-16627] [dolphinscheduler-api] LoginHandlerInterceptor.preHandle …

…check session without expire time check
apache · Feb 3, 2025 · f7d1eac · f7d1eac
1 parent 4416548
commit f7d1eac
Show file tree

Hide file tree

Showing 5 changed files with 34 additions and 5 deletions.
diff --git a/...pi/src/main/java/org/apache/dolphinscheduler/api/interceptor/LoginHandlerInterceptor.java b/...pi/src/main/java/org/apache/dolphinscheduler/api/interceptor/LoginHandlerInterceptor.java
@@ -96,8 +96,10 @@ public boolean preHandle(HttpServletRequest request, HttpServletResponse respons
     }
 
     @Override
-    public void postHandle(HttpServletRequest request, HttpServletResponse response, Object handler,
-                           ModelAndView modelAndView) throws Exception {
+    public void postHandle(HttpServletRequest request,
+                           HttpServletResponse response,
+                           Object handler,
+                           ModelAndView modelAndView) {
         ThreadLocalContext.getTimezoneThreadLocal().remove();
 
         int code = response.getStatus();

diff --git a/...pi/src/main/java/org/apache/dolphinscheduler/api/security/impl/AbstractAuthenticator.java b/...pi/src/main/java/org/apache/dolphinscheduler/api/security/impl/AbstractAuthenticator.java
@@ -119,10 +119,14 @@ public User getAuthUser(HttpServletRequest request) {
                 sessionId = cookie.getValue();
             }
         }
-        Session session = sessionService.getSession(sessionId);
+        final Session session = sessionService.getSession(sessionId);
         if (session == null) {
             return null;
         }
+        if (sessionService.isSessionExpire(session)) {
+            sessionService.expireSession(session.getUserId());
+            return null;
+        }
         // get user object from session
         return userService.queryUser(session.getUserId());
     }

diff --git a/...rc/main/java/org/apache/dolphinscheduler/api/security/impl/pwd/PasswordAuthenticator.java b/...rc/main/java/org/apache/dolphinscheduler/api/security/impl/pwd/PasswordAuthenticator.java
@@ -20,10 +20,12 @@
 import org.apache.dolphinscheduler.api.security.impl.AbstractAuthenticator;
 import org.apache.dolphinscheduler.dao.entity.User;
 
+import lombok.NonNull;
+
 public class PasswordAuthenticator extends AbstractAuthenticator {
 
     @Override
-    public User login(String userName, String password) {
+    public User login(@NonNull String userName, String password) {
         return userService.queryUser(userName, password);
     }
 }
diff --git a/...er-api/src/main/java/org/apache/dolphinscheduler/api/service/impl/SessionServiceImpl.java b/...er-api/src/main/java/org/apache/dolphinscheduler/api/service/impl/SessionServiceImpl.java
@@ -94,7 +94,7 @@ public void expireSession(Integer userId) {
 
     @Override
     public boolean isSessionExpire(Session session) {
-        return System.currentTimeMillis() - session.getLastLoginTime().getTime() <= Constants.SESSION_TIME_OUT * 1000;
+        return System.currentTimeMillis() - session.getLastLoginTime().getTime() >= Constants.SESSION_TIME_OUT * 1000;
     }
 
 }
diff --git a/...ler-api/src/test/java/org/apache/dolphinscheduler/api/controller/LoginControllerTest.java b/...ler-api/src/test/java/org/apache/dolphinscheduler/api/controller/LoginControllerTest.java
@@ -27,7 +27,12 @@
 import org.apache.dolphinscheduler.api.utils.Result;
 import org.apache.dolphinscheduler.common.constants.Constants;
 import org.apache.dolphinscheduler.common.utils.JSONUtils;
+import org.apache.dolphinscheduler.dao.entity.Session;
+import org.apache.dolphinscheduler.dao.repository.SessionDao;
 
+import org.apache.http.HttpStatus;
+
+import java.util.Date;
 import java.util.Map;
 
 import javax.servlet.http.Cookie;
@@ -36,6 +41,7 @@
 import org.junit.jupiter.api.Test;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.MediaType;
 import org.springframework.mock.web.MockHttpServletResponse;
 import org.springframework.test.web.servlet.MvcResult;
@@ -49,6 +55,9 @@ public class LoginControllerTest extends AbstractControllerTest {
 
     private static final Logger logger = LoggerFactory.getLogger(LoginControllerTest.class);
 
+    @Autowired
+    private SessionDao sessionDao;
+
     @Test
     public void testLogin() throws Exception {
         MultiValueMap<String, String> paramsMap = new LinkedMultiValueMap<>();
@@ -85,6 +94,18 @@ public void testSignOut() throws Exception {
         logger.info(mvcResult.getResponse().getContentAsString());
     }
 
+    @Test
+    void testSignOutWithExpireSession() throws Exception {
+        final Session session = sessionDao.queryById(sessionId);
+        session.setLastLoginTime(new Date(System.currentTimeMillis() - Constants.SESSION_TIME_OUT * 1000 - 1));
+        sessionDao.updateById(session);
+
+        mockMvc.perform(post("/signOut")
+                .header("sessionId", sessionId))
+                .andExpect(status().is(HttpStatus.SC_UNAUTHORIZED))
+                .andReturn();
+    }
+
     @Test
     void testClearCookie() throws Exception {
         MvcResult mvcResult = mockMvc.perform(delete("/cookies")