fix(session): Avoid two useless authtoken DB queries for every anonymous request

Co-Authored-By: Christoph Wurst <christoph@winzerhof-wurst.at> Signed-off-by: Git'Fellow <12234510+solracsf@users.noreply.github.com> Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
2026-05-28 04:32:30 -04:00 · 2024-01-06 09:03:59 +01:00 · 2024-01-06 09:03:59 +01:00 · d29b239d72
commit d29b239d72
parent d65d0bd195
2 changed files with 55 additions and 2 deletions
--- a/lib/private/User/Session.php
+++ b/lib/private/User/Session.php
@ -840,13 +840,16 @@ class Session implements IUserSession, Emitter {
 		$authHeader = $request->getHeader('Authorization');
 		if (strpos($authHeader, 'Bearer ') === 0) {
 			$token = substr($authHeader, 7);
-		} else {
-			// No auth header, let's try session id
+		} elseif ($request->getCookie($this->config->getSystemValueString('instanceid')) !== null) {
+			// No auth header, let's try session id, but only if this is an existing
+			// session and the request has a session cookie
 			try {
 				$token = $this->session->getId();
 			} catch (SessionNotAvailableException $ex) {
 				return false;
 			}
+		} else {
+			return false;
 		}

 		if (!$this->loginWithToken($token)) {
--- a/tests/lib/User/SessionTest.php
+++ b/tests/lib/User/SessionTest.php
@ -483,6 +483,56 @@ class SessionTest extends \Test\TestCase {
 		$userSession->logClientIn('john', 'doe', $request, $this->throttler);
 	}

+	public function testTryTokenLoginNoHeaderNoSessionCookie(): void {
+		$request = $this->createMock(IRequest::class);
+		$this->config->expects(self::once())
+			->method('getSystemValueString')
+			->with('instanceid')
+			->willReturn('abc123');
+		$request->method('getHeader')->with('Authorization')->willReturn('');
+		$request->method('getCookie')->with('abc123')->willReturn(null);
+		$this->tokenProvider->expects(self::never())
+			->method('getToken');
+
+		$loginResult = $this->userSession->tryTokenLogin($request);
+
+		self::assertFalse($loginResult);
+	}
+
+	public function testTryTokenLoginAuthorizationHeaderTokenNotFound(): void {
+		$request = $this->createMock(IRequest::class);
+		$request->method('getHeader')->with('Authorization')->willReturn('Bearer abcde-12345');
+		$this->tokenProvider->expects(self::once())
+			->method('getToken')
+			->with('abcde-12345')
+			->willThrowException(new InvalidTokenException());
+
+		$loginResult = $this->userSession->tryTokenLogin($request);
+
+		self::assertFalse($loginResult);
+	}
+
+	public function testTryTokenLoginSessionIdTokenNotFound(): void {
+		$request = $this->createMock(IRequest::class);
+		$this->config->expects(self::once())
+			->method('getSystemValueString')
+			->with('instanceid')
+			->willReturn('abc123');
+		$request->method('getHeader')->with('Authorization')->willReturn('');
+		$request->method('getCookie')->with('abc123')->willReturn('abcde12345');
+		$this->session->expects(self::once())
+			->method('getId')
+			->willReturn('abcde12345');
+		$this->tokenProvider->expects(self::once())
+			->method('getToken')
+			->with('abcde12345')
+			->willThrowException(new InvalidTokenException());
+
+		$loginResult = $this->userSession->tryTokenLogin($request);
+
+		self::assertFalse($loginResult);
+	}
+
 	public function testRememberLoginValidToken() {
 		$session = $this->getMockBuilder(Memory::class)->setConstructorArgs([''])->getMock();
 		$managerMethods = get_class_methods(Manager::class);