[Fix-16627] [dolphinscheduler-api] LoginHandlerInterceptor.preHandle check session without expire time check

ruanwenjun · ruanwenjun · commit f7d1eac2fb73 · 2025-02-03T10:29:13.000+08:00
diff --git a/dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/interceptor/LoginHandlerInterceptor.java b/dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/interceptor/LoginHandlerInterceptor.java
@@ -96,8 +96,10 @@ public boolean preHandle(HttpServletRequest request, HttpServletResponse respons
     }
 
     @Override
-    public void postHandle(HttpServletRequest request, HttpServletResponse response, Object handler,
-                           ModelAndView modelAndView) throws Exception {
+    public void postHandle(HttpServletRequest request,
+                           HttpServletResponse response,
+                           Object handler,
+                           ModelAndView modelAndView) {
         ThreadLocalContext.getTimezoneThreadLocal().remove();
 
         int code = response.getStatus();
diff --git a/dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/security/impl/AbstractAuthenticator.java b/dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/security/impl/AbstractAuthenticator.java
@@ -119,10 +119,14 @@ public User getAuthUser(HttpServletRequest request) {
                 sessionId = cookie.getValue();
             }
         }
-        Session session = sessionService.getSession(sessionId);
+        final Session session = sessionService.getSession(sessionId);
         if (session == null) {
             return null;
         }
+        if (sessionService.isSessionExpire(session)) {
+            sessionService.expireSession(session.getUserId());
+            return null;
+        }
         // get user object from session
         return userService.queryUser(session.getUserId());
     }
diff --git a/dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/security/impl/pwd/PasswordAuthenticator.java b/dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/security/impl/pwd/PasswordAuthenticator.java
@@ -20,10 +20,12 @@
 import org.apache.dolphinscheduler.api.security.impl.AbstractAuthenticator;
 import org.apache.dolphinscheduler.dao.entity.User;
 
+import lombok.NonNull;
+
 public class PasswordAuthenticator extends AbstractAuthenticator {
 
     @Override
-    public User login(String userName, String password) {
+    public User login(@NonNull String userName, String password) {
         return userService.queryUser(userName, password);
     }
 }
diff --git a/dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/service/impl/SessionServiceImpl.java b/dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/service/impl/SessionServiceImpl.java
@@ -94,7 +94,7 @@ public void expireSession(Integer userId) {
 
     @Override
     public boolean isSessionExpire(Session session) {
-        return System.currentTimeMillis() - session.getLastLoginTime().getTime() <= Constants.SESSION_TIME_OUT * 1000;
+        return System.currentTimeMillis() - session.getLastLoginTime().getTime() >= Constants.SESSION_TIME_OUT * 1000;
     }
 
 }
diff --git a/dolphinscheduler-api/src/test/java/org/apache/dolphinscheduler/api/controller/LoginControllerTest.java b/dolphinscheduler-api/src/test/java/org/apache/dolphinscheduler/api/controller/LoginControllerTest.java
@@ -27,7 +27,12 @@
 import org.apache.dolphinscheduler.api.utils.Result;
 import org.apache.dolphinscheduler.common.constants.Constants;
 import org.apache.dolphinscheduler.common.utils.JSONUtils;
+import org.apache.dolphinscheduler.dao.entity.Session;
+import org.apache.dolphinscheduler.dao.repository.SessionDao;
 
+import org.apache.http.HttpStatus;
+
+import java.util.Date;
 import java.util.Map;
 
 import javax.servlet.http.Cookie;
@@ -36,6 +41,7 @@
 import org.junit.jupiter.api.Test;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.MediaType;
 import org.springframework.mock.web.MockHttpServletResponse;
 import org.springframework.test.web.servlet.MvcResult;
@@ -49,6 +55,9 @@ public class LoginControllerTest extends AbstractControllerTest {
 
     private static final Logger logger = LoggerFactory.getLogger(LoginControllerTest.class);
 
+    @Autowired
+    private SessionDao sessionDao;
+
     @Test
     public void testLogin() throws Exception {
         MultiValueMap<String, String> paramsMap = new LinkedMultiValueMap<>();
@@ -85,6 +94,18 @@ public void testSignOut() throws Exception {
         logger.info(mvcResult.getResponse().getContentAsString());
     }
 
+    @Test
+    void testSignOutWithExpireSession() throws Exception {
+        final Session session = sessionDao.queryById(sessionId);
+        session.setLastLoginTime(new Date(System.currentTimeMillis() - Constants.SESSION_TIME_OUT * 1000 - 1));
+        sessionDao.updateById(session);
+
+        mockMvc.perform(post("/signOut")
+                .header("sessionId", sessionId))
+                .andExpect(status().is(HttpStatus.SC_UNAUTHORIZED))
+                .andReturn();
+    }
+
     @Test
     void testClearCookie() throws Exception {
         MvcResult mvcResult = mockMvc.perform(delete("/cookies")

Original file line number	Diff line number	Diff line change
`@@ -119,10 +119,14 @@ public User getAuthUser(HttpServletRequest request) {`
`119`	`119`	`sessionId = cookie.getValue();`
`120`	`120`	`}`
`121`	`121`	`}`
`122`		`- Session session = sessionService.getSession(sessionId);`
	`122`	`+ final Session session = sessionService.getSession(sessionId);`
`123`	`123`	`if (session == null) {`
`124`	`124`	`return null;`
`125`	`125`	`}`
	`126`	`+ if (sessionService.isSessionExpire(session)) {`
	`127`	`+ sessionService.expireSession(session.getUserId());`
	`128`	`+ return null;`
	`129`	`+ }`
`126`	`130`	`// get user object from session`
`127`	`131`	`return userService.queryUser(session.getUserId());`
`128`	`132`	`}`
Original file line number	Diff line number	Diff line change
`@@ -20,10 +20,12 @@`
`20`	`20`	`import org.apache.dolphinscheduler.api.security.impl.AbstractAuthenticator;`
`21`	`21`	`import org.apache.dolphinscheduler.dao.entity.User;`
`22`	`22`
	`23`	`+import lombok.NonNull;`
	`24`	`+`
`23`	`25`	`public class PasswordAuthenticator extends AbstractAuthenticator {`
`24`	`26`
`25`	`27`	`@Override`
`26`		`- public User login(String userName, String password) {`
	`28`	`+ public User login(@NonNull String userName, String password) {`
`27`	`29`	`return userService.queryUser(userName, password);`
`28`	`30`	`}`
`29`	`31`	`}`
Original file line number	Diff line number	Diff line change
`@@ -94,7 +94,7 @@ public void expireSession(Integer userId) {`
`94`	`94`
`95`	`95`	`@Override`
`96`	`96`	`public boolean isSessionExpire(Session session) {`
`97`		`- return System.currentTimeMillis() - session.getLastLoginTime().getTime() <= Constants.SESSION_TIME_OUT * 1000;`
	`97`	`+ return System.currentTimeMillis() - session.getLastLoginTime().getTime() >= Constants.SESSION_TIME_OUT * 1000;`
`98`	`98`	`}`
`99`	`99`
`100`	`100`	`}`