From 7cbe6bfcc148d0896cee0aad70fa18e3a3a9c656 Mon Sep 17 00:00:00 2001
From: Christopher Kolstad <chriswk@getunleash.ai>
Date: Thu, 29 Apr 2021 10:54:11 +0200
Subject: [PATCH] fix: deletes sessions for user when user is removed (#810)

---
 src/lib/db/user-store.ts                      |  4 ++
 src/lib/services/user-service.ts              |  1 +
 src/test/e2e/api/admin/user-admin.e2e.test.ts |  4 +-
 .../e2e/services/user-service.e2e.test.ts     | 40 +++++++++++++++++--
 4 files changed, 42 insertions(+), 7 deletions(-)

diff --git a/src/lib/db/user-store.ts b/src/lib/db/user-store.ts
index e2990b5efa..0723f7dee3 100644
--- a/src/lib/db/user-store.ts
+++ b/src/lib/db/user-store.ts
@@ -194,6 +194,10 @@ class UserStore {
             seen_at: new Date(),
         });
     }
+
+    async deleteAll(): Promise<void> {
+        await this.db(TABLE).del();
+    }
 }
 
 module.exports = UserStore;
diff --git a/src/lib/services/user-service.ts b/src/lib/services/user-service.ts
index 6bb1cdd63c..6ed9916de4 100644
--- a/src/lib/services/user-service.ts
+++ b/src/lib/services/user-service.ts
@@ -302,6 +302,7 @@ class UserService {
                 this.accessService.removeUserFromRole(userId, role.id),
             ),
         );
+        await this.sessionService.deleteSessionsForUser(userId);
 
         await this.store.delete(userId);
 
diff --git a/src/test/e2e/api/admin/user-admin.e2e.test.ts b/src/test/e2e/api/admin/user-admin.e2e.test.ts
index d74e46b689..5ea9ce9865 100644
--- a/src/test/e2e/api/admin/user-admin.e2e.test.ts
+++ b/src/test/e2e/api/admin/user-admin.e2e.test.ts
@@ -38,9 +38,7 @@ test.after.always(async () => {
 });
 
 test.afterEach.always(async () => {
-    const users = await userStore.getAll();
-    const deleteAll = users.map((u: User) => userStore.delete(u.id));
-    await Promise.all(deleteAll);
+    await userStore.deleteAll();
 });
 
 test.serial('returns empty list of users', async t => {
diff --git a/src/test/e2e/services/user-service.e2e.test.ts b/src/test/e2e/services/user-service.e2e.test.ts
index 908ac4ffa5..c62c1d0dc7 100644
--- a/src/test/e2e/services/user-service.e2e.test.ts
+++ b/src/test/e2e/services/user-service.e2e.test.ts
@@ -10,12 +10,14 @@ import ResetTokenService from '../../../lib/services/reset-token-service';
 import { EmailService } from '../../../lib/services/email-service';
 import { createTestConfig } from '../../config/test-config';
 import SessionService from '../../../lib/services/session-service';
+import NotFoundError from '../../../lib/error/notfound-error';
 
 let db;
 let stores;
 let userService: UserService;
 let userStore: UserStore;
 let adminRole: IRole;
+let sessionService: SessionService;
 
 test.before(async () => {
     db = await dbInit('user_service_serial', getLogger);
@@ -24,7 +26,7 @@ test.before(async () => {
     const accessService = new AccessService(stores, config);
     const resetTokenService = new ResetTokenService(stores, config);
     const emailService = new EmailService(undefined, config.getLogger);
-    const sessionService = new SessionService(stores, config);
+    sessionService = new SessionService(stores, config);
 
     userService = new UserService(stores, config, {
         accessService,
@@ -42,9 +44,7 @@ test.after(async () => {
 });
 
 test.afterEach(async () => {
-    const users = await userStore.getAll();
-    const deleteAll = users.map((u: User) => userStore.delete(u.id));
-    await Promise.all(deleteAll);
+    await userStore.deleteAll();
 });
 
 test.serial('should create initial admin user', async t => {
@@ -96,3 +96,35 @@ test.serial('should get user with root role', async t => {
     t.is(user.id, u.id);
     t.is(user.rootRole, adminRole.id);
 });
+
+test.serial(`deleting a user should delete the user's sessions`, async t => {
+    const email = 'some@test.com';
+    const user = await userService.createUser({
+        email,
+        password: 'A very strange P4ssw0rd_',
+        rootRole: adminRole.id,
+    });
+    const testComSession = {
+        sid: 'xyz321',
+        sess: {
+            cookie: {
+                originalMaxAge: 2880000,
+                expires: new Date(Date.now() + 86400000).toDateString(),
+                secure: false,
+                httpOnly: true,
+                path: '/',
+            },
+            user,
+        },
+    };
+    await sessionService.insertSession(testComSession);
+    const userSessions = await sessionService.getSessionsForUser(user.id);
+    t.is(userSessions.length, 1);
+    await userService.deleteUser(user.id);
+    await t.throwsAsync(
+        async () => sessionService.getSessionsForUser(user.id),
+        {
+            instanceOf: NotFoundError,
+        },
+    );
+});