From e5ab40c9119c5a39036ac352b1f8fe02dc6edcb5 Mon Sep 17 00:00:00 2001
From: Henry Oswald <henry.oswald@sharelatex.com>
Date: Thu, 9 Oct 2014 18:10:01 +0100
Subject: [PATCH] added example session invalidation code

---
 .../Security/SessionInvalidator.coffee        | 26 +++++++++
 .../Security/SessionInvalidatorTests.coffee   | 57 +++++++++++++++++++
 2 files changed, 83 insertions(+)
 create mode 100644 services/web/app/coffee/Features/Security/SessionInvalidator.coffee
 create mode 100644 services/web/test/UnitTests/coffee/Security/SessionInvalidatorTests.coffee

diff --git a/services/web/app/coffee/Features/Security/SessionInvalidator.coffee b/services/web/app/coffee/Features/Security/SessionInvalidator.coffee
new file mode 100644
index 0000000000..668019f6f2
--- /dev/null
+++ b/services/web/app/coffee/Features/Security/SessionInvalidator.coffee
@@ -0,0 +1,26 @@
+Settings = require("settings-sharelatex")
+redis = require("redis-sharelatex")
+rclient = redis.createClient(Settings.redis.web)
+crypto = require("crypto")
+async = require("async")
+
+
+module.exports = 
+
+	_getEmailKey : (email)->
+		hash = crypto.createHash("md5").update(email).digest("hex")
+		return "e_sess:#{hash}"
+
+	tracksession:(sessionId, email, callback = ->)->
+		session_lookup_key = @_getEmailKey(email)
+		rclient.set session_lookup_key, sessionId, callback
+
+	invalidateSession:(email, callback = ->)->
+		session_lookup_key = @_getEmailKey(email)
+		rclient.get session_lookup_key, (err, sessionId)->
+			async.series [
+				(cb)-> rclient.del sessionId, cb
+				(cb)-> rclient.del session_lookup_key, cb
+			], callback
+
+
diff --git a/services/web/test/UnitTests/coffee/Security/SessionInvalidatorTests.coffee b/services/web/test/UnitTests/coffee/Security/SessionInvalidatorTests.coffee
new file mode 100644
index 0000000000..1a4550c248
--- /dev/null
+++ b/services/web/test/UnitTests/coffee/Security/SessionInvalidatorTests.coffee
@@ -0,0 +1,57 @@
+should = require('chai').should()
+SandboxedModule = require('sandboxed-module')
+assert = require('assert')
+path = require('path')
+sinon = require('sinon')
+modulePath = path.join __dirname, "../../../../app/js/Features/Security/SessionInvalidator"
+expect = require("chai").expect
+
+describe "SessionInvaildator", ->
+
+	beforeEach ->
+		@settings =
+			redis:
+				web:{}
+		@rclient =
+			del:sinon.stub()
+			set:sinon.stub().callsArgWith(2)
+			get:sinon.stub()
+		@SessionInvaildator = SandboxedModule.require modulePath, requires:
+			"settings-sharelatex":@settings
+			"logger-sharelatex": log:->
+			"redis-sharelatex": createClient:=> 
+				return @rclient
+		@emailAddress = "bob@smith"
+		@sessionId = "sess:123456"
+		@stubbedKey = "e_sess:7890"
+
+	describe "_getEmailKey", ->
+
+		it "should get the email key by hashing it", ->
+			result = @SessionInvaildator._getEmailKey "bob@smith.com"
+			result.should.equal "e_sess:6815b961bfb8f83dd4cecd357e55e62d"
+
+	describe "tracksession", ->
+
+		it "should save the session in redis", (done)->
+
+			@SessionInvaildator._getEmailKey = sinon.stub().returns(@stubbedKey)
+			@SessionInvaildator.tracksession @sessionId, @emailAddress, =>
+				@rclient.set.calledWith(@stubbedKey).should.equal true
+				done()
+
+
+	describe "invalidateSession", (done)->
+
+		beforeEach ->
+			@SessionInvaildator._getEmailKey = sinon.stub().returns(@stubbedKey)
+			@rclient.del.callsArgWith(1)
+
+		it "get the session key and delete it", (done)->
+			@rclient.get.callsArgWith 1, null, @sessionId
+			@SessionInvaildator.invalidateSession @emailAddress, =>
+				@rclient.del.calledWith(@sessionId).should.equal true
+				@rclient.del.calledWith(@stubbedKey).should.equal true
+
+				done()
+