API User Authentication doesn't update lastSeenAt

[BurnNoticeSpy]

Bug Report

Current Behavior
When you use the API to fetch a session token during user authentication, it does not trigger the user online status to be correctly updated. The lastSeenAt attribute doesn't reflect this action and subsequent API calls also do not cause any effect. Effectively, you cannot correctly display when a user is online because the data will never update.

Steps to Reproduce

1. Make an API login request to /token
2. Fetch user data
3. Observe lastSeenAt on user model doesn't change

Expected Behavior
User's lastSeenAt attribute should reflect the time of login and/or further API requests sent to the server.

Environment

• Flarum version: 1.0.4
• Webserver: apache
• Hosting environment: vps
• PHP version: 7.4.3

[askvortsov1]

Bug Report

Current Behavior
When you use the API to fetch a session token during user authentication, it does not trigger the user online status to be correctly updated. The lastSeenAt attribute doesn't reflect this action and subsequent API calls also do not cause any effect. Effectively, you cannot correctly display when a user is online because the data will never update.

Steps to Reproduce

1. Make an API login request to /token
2. Fetch user data
3. Observe lastSeenAt on user model doesn't change

Expected Behavior
User's lastSeenAt attribute should reflect the time of login and/or further API requests sent to the server.

Environment

• Flarum version: 1.0.4
• Webserver: apache
• Hosting environment: vps
• PHP version: 7.4.3

Hmm, I'm not sure that obtaining a token should count as a "seen at" operation. Using the token, on the other hand, should already result in last_seen_at being adjusted: https://github.com/flarum/core/blob/d82c093c0ff0984f70cfa52a2ea19cbdb5baa6ea/src/Http/Middleware/AuthenticateWithSession.php#L41-L41

[BurnNoticeSpy]

Well i can agree on obtaining a auth token specifically, but immediately following the /token request a new request to get the user data is sent off (with the auth token included) and that's basically saying "I'm requesting the data for my account, because I've just signed in"? Which presumably should update the lastSeenAt, but after testing multiple times lastSeenAt doesn't change from null. Even when navigating discussions and posting comments......but the moment i use the original Flarum client and it does it's 'hard refresh' after signing in, bam the lastSeenAt updates correctly on my client!

So i don't know if it's something I'm doing specifically or what?

[askvortsov1]

but immediately following the /token request a new request to get the user data is sent off

Which endpoint are you hitting for this?

[BurnNoticeSpy]

but immediately following the /token request a new request to get the user data is sent off

Which endpoint are you hitting for this?

/api/users/1

app.store.find('users', userId);

[askvortsov1]

/api/users/1

Are you authenticating with the token in question? What do your request headers look like?

[BurnNoticeSpy]

/api/users/1

Are you authenticating with the token in question? What do your request headers look like?

Yes.

GET /api/users/1 HTTP/1.1.
Host: [removed]
Connection: keep-alive
Accept: application/json, text/*
Authorization: Token Iq6uBuT7z9GKfUkH2cN8M9EV20utd0sI94tWAhRK; userId=1
User-Agent: [removed]
Referer: [removed]
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8

I compared this to Flarum's /login endpoint and the difference is I'm not sending a X-CSRF-Token or Cookie. The request is successful however and so the server should have validated my session given that outcome.

[askvortsov1]

Ah, I see. We have the logic to updateLastSeen in the AuthenticateWithSession middleware but not AuthenticateWithHeader. That would probably make sense to include in https://github.com/flarum/core/blob/d82c093c0ff0984f70cfa52a2ea19cbdb5baa6ea/src/Http/Middleware/AuthenticateWithHeader.php#L50-L50.

[BurnNoticeSpy]

👍 🎉 Good job @askvortsov1 ! Appreciate the swift resolution too :)