Auth: Reset existing user/browser sessions when upgrading #808 #3943

Signed-off-by: Michael Mayer <michael@photoprism.app>

frontend/src/common/session.js

@@ -184,10 +184,16 @@ export default class Session {
     this.id = null;
     this.authToken = null;
     this.provider = "";
+
+    // "sessionId" is the SHA256 hash of the auth token.
     this.storage.removeItem("sessionId");
     this.storage.removeItem("authToken");
     this.storage.removeItem("provider");
 
+    // The "session_id" storage key is deprecated in favor of "authToken",
+    // but should continue to be removed when logging out:
+    this.storage.removeItem("session_id");
+
     delete Api.defaults.headers.common[RequestHeader];
   }
 

internal/migrate/dialect_mysql.go

@@ -165,4 +165,10 @@ var DialectMySQL = Migrations{
 		Stage:      "main",
 		Statements: []string{"UPDATE auth_users SET user_role = 'contributor' WHERE user_role = 'uploader';", "UPDATE auth_sessions SET auth_provider = 'link' WHERE auth_provider = 'token';"},
 	},
+	{
+		ID:         "20240112-000001",
+		Dialect:    "mysql",
+		Stage:      "main",
+		Statements: []string{"TRUNCATE auth_sessions;"},
+	},
 }

internal/migrate/dialect_sqlite3.go

@@ -93,4 +93,10 @@ var DialectSQLite3 = Migrations{
 		Stage:      "main",
 		Statements: []string{"UPDATE auth_users SET user_role = 'contributor' WHERE user_role = 'uploader';", "UPDATE auth_sessions SET auth_provider = 'link' WHERE auth_provider = 'token';"},
 	},
+	{
+		ID:         "20240112-000001",
+		Dialect:    "sqlite3",
+		Stage:      "main",
+		Statements: []string{"DELETE FROM auth_sessions;"},
+	},
 }

internal/migrate/mysql/20240112-000001.sql

@@ -0,0 +1 @@
+TRUNCATE auth_sessions;

internal/migrate/sqlite3/20240112-000001.sql

@@ -0,0 +1 @@
+DELETE FROM auth_sessions;