From 91eadbc21f383ac4f6faed91f952282b6238d13c Mon Sep 17 00:00:00 2001
From: Michael Mayer <michael@photoprism.app>
Date: Fri, 12 Jan 2024 12:50:52 +0100
Subject: [PATCH] Auth: Reset existing user/browser sessions when upgrading
 #808 #3943

Signed-off-by: Michael Mayer <michael@photoprism.app>
---
 frontend/src/common/session.js               | 6 ++++++
 internal/migrate/dialect_mysql.go            | 6 ++++++
 internal/migrate/dialect_sqlite3.go          | 6 ++++++
 internal/migrate/mysql/20240112-000001.sql   | 1 +
 internal/migrate/sqlite3/20240112-000001.sql | 1 +
 5 files changed, 20 insertions(+)
 create mode 100644 internal/migrate/mysql/20240112-000001.sql
 create mode 100644 internal/migrate/sqlite3/20240112-000001.sql

diff --git a/frontend/src/common/session.js b/frontend/src/common/session.js
index 3790a6653..097160fc7 100644
--- a/frontend/src/common/session.js
+++ b/frontend/src/common/session.js
@@ -184,10 +184,16 @@ export default class Session {
     this.id = null;
     this.authToken = null;
     this.provider = "";
+
+    // "sessionId" is the SHA256 hash of the auth token.
     this.storage.removeItem("sessionId");
     this.storage.removeItem("authToken");
     this.storage.removeItem("provider");
 
+    // The "session_id" storage key is deprecated in favor of "authToken",
+    // but should continue to be removed when logging out:
+    this.storage.removeItem("session_id");
+
     delete Api.defaults.headers.common[RequestHeader];
   }
 
diff --git a/internal/migrate/dialect_mysql.go b/internal/migrate/dialect_mysql.go
index b6cd17c43..5934d1e38 100644
--- a/internal/migrate/dialect_mysql.go
+++ b/internal/migrate/dialect_mysql.go
@@ -165,4 +165,10 @@ var DialectMySQL = Migrations{
 		Stage:      "main",
 		Statements: []string{"UPDATE auth_users SET user_role = 'contributor' WHERE user_role = 'uploader';", "UPDATE auth_sessions SET auth_provider = 'link' WHERE auth_provider = 'token';"},
 	},
+	{
+		ID:         "20240112-000001",
+		Dialect:    "mysql",
+		Stage:      "main",
+		Statements: []string{"TRUNCATE auth_sessions;"},
+	},
 }
diff --git a/internal/migrate/dialect_sqlite3.go b/internal/migrate/dialect_sqlite3.go
index e18800aac..0e2eb3e41 100644
--- a/internal/migrate/dialect_sqlite3.go
+++ b/internal/migrate/dialect_sqlite3.go
@@ -93,4 +93,10 @@ var DialectSQLite3 = Migrations{
 		Stage:      "main",
 		Statements: []string{"UPDATE auth_users SET user_role = 'contributor' WHERE user_role = 'uploader';", "UPDATE auth_sessions SET auth_provider = 'link' WHERE auth_provider = 'token';"},
 	},
+	{
+		ID:         "20240112-000001",
+		Dialect:    "sqlite3",
+		Stage:      "main",
+		Statements: []string{"DELETE FROM auth_sessions;"},
+	},
 }
diff --git a/internal/migrate/mysql/20240112-000001.sql b/internal/migrate/mysql/20240112-000001.sql
new file mode 100644
index 000000000..a6ce00990
--- /dev/null
+++ b/internal/migrate/mysql/20240112-000001.sql
@@ -0,0 +1 @@
+TRUNCATE auth_sessions;
\ No newline at end of file
diff --git a/internal/migrate/sqlite3/20240112-000001.sql b/internal/migrate/sqlite3/20240112-000001.sql
new file mode 100644
index 000000000..c42371c5f
--- /dev/null
+++ b/internal/migrate/sqlite3/20240112-000001.sql
@@ -0,0 +1 @@
+DELETE FROM auth_sessions;
\ No newline at end of file