Fix SQLite session_id (#2977)

This fixes an issue with device_id/session_ids. If a `device_id` is reused, we would reuse the same `session_id`, since we delete one device and insert a new one directly, resulting in the query to get a new `session_id` to return the previous session_id. (`SELECT count(access_token)`)
2025-08-01 13:52:46 +00:00 · 2023-02-17 11:39:46 +01:00 · 2023-02-17 11:39:46 +01:00 · f0805071d5
commit f0805071d5
parent 11d9b9db0e
4 changed files with 74 additions and 18 deletions
--- a/userapi/storage/sqlite3/devices_table.go
+++ b/userapi/storage/sqlite3/devices_table.go
@ -65,7 +65,7 @@ const selectDeviceByIDSQL = "" +
 	"SELECT display_name, last_seen_ts, ip FROM userapi_devices WHERE localpart = $1 AND server_name = $2 AND device_id = $3"

 const selectDevicesByLocalpartSQL = "" +
-	"SELECT device_id, display_name, last_seen_ts, ip, user_agent FROM userapi_devices WHERE localpart = $1 AND server_name = $2 AND device_id != $3 ORDER BY last_seen_ts DESC"
+	"SELECT device_id, display_name, last_seen_ts, ip, user_agent, session_id FROM userapi_devices WHERE localpart = $1 AND server_name = $2 AND device_id != $3 ORDER BY last_seen_ts DESC"

 const updateDeviceNameSQL = "" +
 	"UPDATE userapi_devices SET display_name = $1 WHERE localpart = $2 AND server_name = $3 AND device_id = $4"
@ -80,7 +80,7 @@ const deleteDevicesSQL = "" +
 	"DELETE FROM userapi_devices WHERE localpart = $1 AND server_name = $2 AND device_id IN ($3)"

 const selectDevicesByIDSQL = "" +
-	"SELECT device_id, localpart, server_name, display_name, last_seen_ts FROM userapi_devices WHERE device_id IN ($1) ORDER BY last_seen_ts DESC"
+	"SELECT device_id, localpart, server_name, display_name, last_seen_ts, session_id FROM userapi_devices WHERE device_id IN ($1) ORDER BY last_seen_ts DESC"

 const updateDeviceLastSeen = "" +
 	"UPDATE userapi_devices SET last_seen_ts = $1, ip = $2, user_agent = $3 WHERE localpart = $4 AND server_name = $5 AND device_id = $6"
@ -162,6 +162,27 @@ func (s *devicesStatements) InsertDevice(
 	}, nil
 }

+func (s *devicesStatements) InsertDeviceWithSessionID(ctx context.Context, txn *sql.Tx, id,
+	localpart string, serverName gomatrixserverlib.ServerName,
+	accessToken string, displayName *string, ipAddr, userAgent string,
+	sessionID int64,
+) (*api.Device, error) {
+	createdTimeMS := time.Now().UnixNano() / 1000000
+	insertStmt := sqlutil.TxStmt(txn, s.insertDeviceStmt)
+	if _, err := insertStmt.ExecContext(ctx, id, localpart, serverName, accessToken, createdTimeMS, displayName, sessionID, createdTimeMS, ipAddr, userAgent); err != nil {
+		return nil, err
+	}
+	return &api.Device{
+		ID:          id,
+		UserID:      userutil.MakeUserID(localpart, serverName),
+		AccessToken: accessToken,
+		SessionID:   sessionID,
+		LastSeenTS:  createdTimeMS,
+		LastSeenIP:  ipAddr,
+		UserAgent:   userAgent,
+	}, nil
+}
+
 func (s *devicesStatements) DeleteDevice(
 	ctx context.Context, txn *sql.Tx, id string,
 	localpart string, serverName gomatrixserverlib.ServerName,
@ -271,7 +292,7 @@ func (s *devicesStatements) SelectDevicesByLocalpart(
 	var lastseents sql.NullInt64
 	var id, displayname, ip, useragent sql.NullString
 	for rows.Next() {
-		err = rows.Scan(&id, &displayname, &lastseents, &ip, &useragent)
+		err = rows.Scan(&id, &displayname, &lastseents, &ip, &useragent, &dev.SessionID)
 		if err != nil {
 			return devices, err
 		}
@ -317,7 +338,7 @@ func (s *devicesStatements) SelectDevicesByID(ctx context.Context, deviceIDs []s
 	var displayName sql.NullString
 	var lastseents sql.NullInt64
 	for rows.Next() {
-		if err := rows.Scan(&dev.ID, &localpart, &serverName, &displayName, &lastseents); err != nil {
+		if err := rows.Scan(&dev.ID, &localpart, &serverName, &displayName, &lastseents, &dev.SessionID); err != nil {
 			return nil, err
 		}
 		if displayName.Valid {