refactor(auth): streamline session authentication and cookie handling

40e129b8 · Johnny · 87b8c2b2 · 40e129b8 · 40e129b8 · 40e129b8
Commit 40e129b8 authored Dec 16, 2025 by Johnny
8 changed files
--- a/server/auth/authenticator.go
+++ b/server/auth/authenticator.go
@@ -38,23 +38,23 @@ func NewAuthenticator(store *store.Store, secret string) *Authenticator {
 // AuthenticateBySession validates a session cookie and returns the authenticated user.
 //
 // Validation steps:
-// 1. Parse cookie value to extract userID and sessionID
+// 1. Use session ID to find the user and session details (single DB query)
 // 2. Verify user exists and is not archived
-// 3. Verify session exists in user's sessions list
+// 3. Check session hasn't expired (sliding expiration: 14 days from last access)
-// 4. Check session hasn't expired (sliding expiration: 14 days from last access)
 //
 // Returns the user if authentication succeeds, or an error describing the failure.
-func (a *Authenticator) AuthenticateBySession(ctx context.Context, sessionCookieValue string) (*store.User, error) {
+func (a *Authenticator) AuthenticateBySession(ctx context.Context, sessionID string) (*store.User, error) {
-	if sessionCookieValue == "" {
+	if sessionID == "" {
-		return nil, errors.New("session cookie value not found")
+		return nil, errors.New("session ID not found")
 	}
-	userID, sessionID, err := ParseSessionCookieValue(sessionCookieValue)
+	// Find the session and user in a single database query
+	result, err := a.store.GetUserSessionByID(ctx, sessionID)
 	if err != nil {
-		return nil, errors.Wrap(err, "invalid session cookie format")
+		return nil, errors.Wrap(err, "session not found")
 	}
-	user, err := a.store.GetUser(ctx, &store.FindUser{ID: &userID})
+	user, err := a.store.GetUser(ctx, &store.FindUser{ID: &result.UserID})
 	if err != nil {
 		return nil, errors.Wrap(err, "failed to get user")
 	}
@@ -65,13 +65,12 @@ func (a *Authenticator) AuthenticateBySession(ctx context.Context, sessionCookie
 		return nil, errors.New("user is archived")
 	}
-	sessions, err := a.store.GetUserSessions(ctx, user.ID)
+	// Validate session expiration
-	if err != nil {
+	if result.Session.LastAccessedTime != nil {
-		return nil, errors.Wrap(err, "failed to get user sessions")
+		expiration := result.Session.LastAccessedTime.AsTime().Add(SessionSlidingDuration)
+		if expiration.Before(time.Now()) {
+			return nil, errors.New("session expired")
 		}
-	if !validateSession(sessionID, sessions) {
-		return nil, errors.New("invalid or expired session")
 	}
 	return user, nil
@@ -168,23 +167,6 @@ func (a *Authenticator) AuthorizeAndSetContext(ctx context.Context, procedure st
 	return ctx, nil
 }
-// validateSession checks if a session exists and is still valid.
-// Uses sliding expiration: session is valid if last accessed within SessionSlidingDuration.
-func validateSession(sessionID string, sessions []*storepb.SessionsUserSetting_Session) bool {
-	for _, session := range sessions {
-		if sessionID == session.SessionId {
-			if session.LastAccessedTime != nil {
-				expiration := session.LastAccessedTime.AsTime().Add(SessionSlidingDuration)
-				if expiration.Before(time.Now()) {
-					return false // Session expired
-				}
-			}
-			return true
-		}
-	}
-	return false // Session not found
-}
 // validateAccessToken checks if the token exists in the user's access tokens list.
 // This enables token revocation: deleted tokens are removed from the list.
 func validateAccessToken(token string, tokens []*storepb.AccessTokensUserSetting_AccessToken) bool {
@@ -215,15 +197,12 @@ type AuthResult struct {
 // It tries session cookie first, then JWT token.
 // Returns nil if no valid credentials are provided.
 // On successful session auth, it also updates the session sliding expiration.
-func (a *Authenticator) Authenticate(ctx context.Context, sessionCookie, authHeader string) *AuthResult {
+func (a *Authenticator) Authenticate(ctx context.Context, sessionID, authHeader string) *AuthResult {
 	// Try session cookie authentication first
-	if sessionCookie != "" {
+	if sessionID != "" {
-		user, err := a.AuthenticateBySession(ctx, sessionCookie)
+		user, err := a.AuthenticateBySession(ctx, sessionID)
 		if err == nil && user != nil {
-			_, sessionID, parseErr := ParseSessionCookieValue(sessionCookie)
-			if parseErr == nil && sessionID != "" {
 			a.UpdateSessionLastAccessed(ctx, user.ID, sessionID)
-			}
 			return &AuthResult{User: user, SessionID: sessionID}
 		}
 	}

--- a/server/auth/token.go
+++ b/server/auth/token.go
@@ -11,11 +11,9 @@ package auth
 import (
 	"fmt"
-	"strings"
 	"time"
 	"github.com/golang-jwt/jwt/v5"
-	"github.com/pkg/errors"
 	"github.com/usememos/memos/internal/util"
 )
@@ -40,7 +38,7 @@ const (
 	SessionSlidingDuration = 14 * 24 * time.Hour
 	// SessionCookieName is the HTTP cookie name used to store session information.
-	// Cookie value format: {userID}-{sessionID}.
+	// Cookie value is the session ID (UUID).
 	SessionCookieName = "user_session"
 )
@@ -108,37 +106,7 @@ func generateToken(username string, userID int32, audience string, expirationTim
 //
 // Uses UUID v4 (random) for high entropy and uniqueness.
 // Session IDs are stored in user settings and used to identify browser sessions.
+// The session ID is stored directly in the cookie as the cookie value.
 func GenerateSessionID() string {
 	return util.GenUUID()
 }
-// BuildSessionCookieValue creates the session cookie value.
-//
-// Format: {userID}-{sessionID}
-// Example: "123-550e8400-e29b-41d4-a716-446655440000"
-//
-// This format allows quick extraction of both user ID and session ID
-// from the cookie without database lookup during authentication.
-func BuildSessionCookieValue(userID int32, sessionID string) string {
-	return fmt.Sprintf("%d-%s", userID, sessionID)
-}
-// ParseSessionCookieValue extracts user ID and session ID from cookie value.
-//
-// Input format: "{userID}-{sessionID}"
-// Returns: (userID, sessionID, error)
-//
-// Example: "123-550e8400-..." → (123, "550e8400-...", nil).
-func ParseSessionCookieValue(cookieValue string) (int32, string, error) {
-	parts := strings.SplitN(cookieValue, "-", 2)
-	if len(parts) != 2 {
-		return 0, "", errors.New("invalid session cookie format")
-	}
-	userID, err := util.ConvertStringToInt32(parts[0])
-	if err != nil {
-		return 0, "", errors.Errorf("invalid user ID in session cookie: %v", err)
-	}
-	return userID, parts[1], nil
-}
--- a/server/router/api/v1/auth_service.go
+++ b/server/router/api/v1/auth_service.go
@@ -230,9 +230,8 @@ func (s *APIV1Service) doSignIn(ctx context.Context, user *store.User, expireTim
 		slog.Error("failed to track user session", "error", err)
 	}
-	// Set session cookie for web use (format: userID-sessionID)
+	// Set session cookie for web use
-	sessionCookieValue := auth.BuildSessionCookieValue(user.ID, sessionID)
+	sessionCookie, err := s.buildSessionCookie(ctx, sessionID, expireTime)
-	sessionCookie, err := s.buildSessionCookie(ctx, sessionCookieValue, expireTime)
 	if err != nil {
 		return status.Errorf(codes.Internal, "failed to build session cookie, error: %v", err)
 	}

--- a/store/db/mysql/user_setting.go
+++ b/store/db/mysql/user_setting.go
@@ -4,6 +4,8 @@ import (
 	"context"
 	"strings"
+	"github.com/pkg/errors"
 	storepb "github.com/usememos/memos/proto/gen/store"
 	"github.com/usememos/memos/store"
 )
@@ -54,3 +56,42 @@ func (d *DB) ListUserSettings(ctx context.Context, find *store.FindUserSetting)
 	return userSettingList, nil
 }
+func (d *DB) GetUserSessionByID(ctx context.Context, sessionID string) (*store.UserSessionQueryResult, error) {
+	// Query user_setting that contains this sessionID in the sessions array
+	// Use JSON_SEARCH to check if sessionID exists in the array
+	query := `
+		SELECT 
+			user_id,
+			value
+		FROM user_setting
+		WHERE ` + "`key`" + ` = 'SESSIONS'
+		  AND JSON_SEARCH(value, 'one', ?, NULL, '$.sessions[*].sessionId') IS NOT NULL
+	`
+	var userID int32
+	var sessionsJSON string
+	err := d.db.QueryRowContext(ctx, query, sessionID).Scan(&userID, &sessionsJSON)
+	if err != nil {
+		return nil, err
+	}
+	// Parse the entire sessions list using protobuf unmarshaler
+	sessionsUserSetting := &storepb.SessionsUserSetting{}
+	if err := protojsonUnmarshaler.Unmarshal([]byte(sessionsJSON), sessionsUserSetting); err != nil {
+		return nil, err
+	}
+	// Find the specific session by ID
+	for _, session := range sessionsUserSetting.Sessions {
+		if session.SessionId == sessionID {
+			return &store.UserSessionQueryResult{
+				UserID:  userID,
+				Session: session,
+			}, nil
+		}
+	}
+	return nil, errors.New("session not found")
+}
--- a/store/db/postgres/user_setting.go
+++ b/store/db/postgres/user_setting.go
@@ -4,6 +4,8 @@ import (
 	"context"
 	"strings"
+	"github.com/pkg/errors"
 	storepb "github.com/usememos/memos/proto/gen/store"
 	"github.com/usememos/memos/store"
 )
@@ -67,3 +69,46 @@ func (d *DB) ListUserSettings(ctx context.Context, find *store.FindUserSetting)
 	return userSettingList, nil
 }
+func (d *DB) GetUserSessionByID(ctx context.Context, sessionID string) (*store.UserSessionQueryResult, error) {
+	// Query user_setting that contains this sessionID in the sessions array
+	// Use EXISTS with jsonb_array_elements to check array membership
+	query := `
+		SELECT 
+			user_setting.user_id,
+			user_setting.value
+		FROM user_setting
+		WHERE user_setting.key = 'SESSIONS'
+		  AND EXISTS (
+		      SELECT 1 
+		      FROM jsonb_array_elements(user_setting.value::jsonb->'sessions') AS session
+		      WHERE session->>'sessionId' = $1
+		  )
+	`
+	var userID int32
+	var sessionsJSON string
+	err := d.db.QueryRowContext(ctx, query, sessionID).Scan(&userID, &sessionsJSON)
+	if err != nil {
+		return nil, err
+	}
+	// Parse the entire sessions list using protobuf unmarshaler
+	sessionsUserSetting := &storepb.SessionsUserSetting{}
+	if err := protojsonUnmarshaler.Unmarshal([]byte(sessionsJSON), sessionsUserSetting); err != nil {
+		return nil, err
+	}
+	// Find the specific session by ID
+	for _, session := range sessionsUserSetting.Sessions {
+		if session.SessionId == sessionID {
+			return &store.UserSessionQueryResult{
+				UserID:  userID,
+				Session: session,
+			}, nil
+		}
+	}
+	return nil, errors.New("session not found")
+}
--- a/store/db/sqlite/user_setting.go
+++ b/store/db/sqlite/user_setting.go
@@ -4,6 +4,8 @@ import (
 	"context"
 	"strings"
+	"github.com/pkg/errors"
 	storepb "github.com/usememos/memos/proto/gen/store"
 	"github.com/usememos/memos/store"
 )
@@ -66,3 +68,46 @@ func (d *DB) ListUserSettings(ctx context.Context, find *store.FindUserSetting)
 	return userSettingList, nil
 }
+func (d *DB) GetUserSessionByID(ctx context.Context, sessionID string) (*store.UserSessionQueryResult, error) {
+	// Query user_setting that contains this sessionID in the sessions array
+	// Use EXISTS with json_each to properly check array membership
+	query := `
+		SELECT 
+			user_setting.user_id,
+			user_setting.value
+		FROM user_setting
+		WHERE user_setting.key = 'SESSIONS'
+		  AND EXISTS (
+		      SELECT 1 
+		      FROM json_each(json_extract(user_setting.value, '$.sessions')) AS session
+		      WHERE json_extract(session.value, '$.sessionId') = ?
+		  )
+	`
+	var userID int32
+	var sessionsJSON string
+	err := d.db.QueryRowContext(ctx, query, sessionID).Scan(&userID, &sessionsJSON)
+	if err != nil {
+		return nil, err
+	}
+	// Parse the entire sessions list using protobuf unmarshaler
+	sessionsUserSetting := &storepb.SessionsUserSetting{}
+	if err := protojsonUnmarshaler.Unmarshal([]byte(sessionsJSON), sessionsUserSetting); err != nil {
+		return nil, err
+	}
+	// Find the specific session by ID
+	for _, session := range sessionsUserSetting.Sessions {
+		if session.SessionId == sessionID {
+			return &store.UserSessionQueryResult{
+				UserID:  userID,
+				Session: session,
+			}, nil
+		}
+	}
+	return nil, errors.New("session not found")
+}
--- a/store/driver.go
+++ b/store/driver.go
@@ -48,6 +48,7 @@ type Driver interface {
 	// UserSetting model related methods.
 	UpsertUserSetting(ctx context.Context, upsert *UserSetting) (*UserSetting, error)
 	ListUserSettings(ctx context.Context, find *FindUserSetting) ([]*UserSetting, error)
+	GetUserSessionByID(ctx context.Context, sessionID string) (*UserSessionQueryResult, error)
 	// IdentityProvider model related methods.
 	CreateIdentityProvider(ctx context.Context, create *IdentityProvider) (*IdentityProvider, error)

--- a/store/user_setting.go
+++ b/store/user_setting.go
@@ -21,6 +21,12 @@ type FindUserSetting struct {
 	Key    storepb.UserSetting_Key
 }
+// UserSessionQueryResult contains the result of querying a single session by ID.
+type UserSessionQueryResult struct {
+	UserID  int32
+	Session *storepb.SessionsUserSetting_Session
+}
 func (s *Store) UpsertUserSetting(ctx context.Context, upsert *storepb.UserSetting) (*storepb.UserSetting, error) {
 	userSettingRaw, err := convertUserSettingToRaw(upsert)
 	if err != nil {
@@ -241,6 +247,12 @@ func (s *Store) UpdateUserSessionLastAccessed(ctx context.Context, userID int32,
 	return err
 }
+// GetUserSessionByID returns the session details for the given session ID.
+// Uses database-specific JSON queries for efficient lookup without loading all sessions.
+func (s *Store) GetUserSessionByID(ctx context.Context, sessionID string) (*UserSessionQueryResult, error) {
+	return s.driver.GetUserSessionByID(ctx, sessionID)
+}
 // GetUserWebhooks returns the webhooks of the user.
 func (s *Store) GetUserWebhooks(ctx context.Context, userID int32) ([]*storepb.WebhooksUserSetting_Webhook, error) {
 	userSetting, err := s.GetUserSetting(ctx, &FindUserSetting{