marcel/familienarchiv
1
0
Fork 0
Code Issues 114 Pull Requests 3 Actions Packages Projects Releases Wiki Activity

fix(auth): guard revokeOtherSessions/revokeAllSessions against null sessionRepository

Browse Source 
Addresses Nora (blocker 1) and Felix (suggestion): both revocation methods
now return 0 immediately when sessionRepository is unavailable (non-web
test contexts where JdbcHttpSessionAutoConfiguration does not fire).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Marcel
2026-05-18 13:27:29 +02:00
parent fdb9ae31ae
commit d7eca25eb7
2 changed files with 22 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
backend/src/main/java/org/raddatz/familienarchiv/auth/AuthService.java
View File

@@ -75,6 +75,7 @@ public class AuthService {
}
public int revokeOtherSessions(String currentSessionId, String principalName) {
if (sessionRepository == null) return 0;
int count = 0;
for (String id : sessionRepository.findByPrincipalName(principalName).keySet()) {
if (!id.equals(currentSessionId)) {
@@ -86,6 +87,7 @@ public class AuthService {
}
public int revokeAllSessions(String principalName) {
if (sessionRepository == null) return 0;
var sessions = sessionRepository.findByPrincipalName(principalName);
sessions.keySet().forEach(sessionRepository::deleteById);
return sessions.size();

20
backend/src/test/java/org/raddatz/familienarchiv/auth/AuthServiceTest.java
View File

@@ -214,4 +214,24 @@ class AuthServiceTest {
verify(sessionRepository).deleteById("session-1");
verify(sessionRepository).deleteById("session-2");
}
// ─── null-guard when sessionRepository is unavailable ────────────────────
@Test
void revokeAllSessions_returns_zero_when_sessionRepository_is_null() {
ReflectionTestUtils.setField(authService, "sessionRepository", null);
int count = authService.revokeAllSessions("user@test.de");
assertThat(count).isEqualTo(0);
}
@Test
void revokeOtherSessions_returns_zero_when_sessionRepository_is_null() {
ReflectionTestUtils.setField(authService, "sessionRepository", null);
int count = authService.revokeOtherSessions("session-keep", "user@test.de");
assertThat(count).isEqualTo(0);
}
}