Fix : Session token issue

[flessard]

In _User collection a field _session_token is present and if you fetch
the user data form server, this field override the sessionToken saved
in your browser.

If you don't fetch the user, all request to server contain the right
sessionToken and if you fetch the user data from the server, all next
requests will contain the wrong sessionToken come form the
_session_token in user data fetched.

[gfosco]

Yeah this makes sense, for older migrated users, who used to have non-expiring session tokens. Can you add a test which fetches the user and ensures the session token hasn't changed?

[facebook-github-bot]

@flessard updated the pull request.

[flessard]

@gfosco I add test, but i am not sur if i do the right way. Never done before :)

[gfosco]

The test looks good.. Can you rebase now?

[facebook-github-bot]

@flessard updated the pull request.

[gfosco]

Thanks! 👍

[absolutlabs]

Hello
It seems like auth with FB is still facing this issue : #427 :/

[flessard]

@absolutlabs i just try whit a unit-test and everting work perfect. Did you run on 2.0.8 ?

[absolutlabs]

Yep, we deleted the app on Heroku and created a new one. On the logs it says :

Build succeeded!
remote:        ├── express@4.2.0
remote:        ├── kerberos@0.0.18
remote:        ├── parse@1.6.14
remote:        └── parse-server@2.0.8

... and we were still facing the same issue.

On our tests, we found that everything works perfectly if I sign on with a new FB user.
It only fails with pre-existing users, those who existed before the migration to heroku + Mongolab.

We found that, if we compare both _User documents, the old one has more properties :

Old user :

{
    "_id": "KzUnmx2JnG",
    "_auth_data_facebook": {
        "access_token": "CAAJ7Nw3qQHoBAP7xpz6V88VSHtAiZC9Xh8DOmr6tDer3t3XleelGRH6m3pF2COSWLOkOveFpv37p28B86ynZAvDgNVDGLX46ZGFtnv11fH9oWoFuctGPB03HIhPVBsQbm0jhYgX5M3WBltnkPDUTr0BJBjxBJluqF5TTVzb4Iyaq3216PAZAZCp2Vs6Bj9eMZBjzTTXx2n5m2LzdYuMZAJupxsyT2byLx4ZD",
        "expiration_date": {
            "$date": "2016-03-08T18:01:30.507Z"
        },
        "id": "10153643454290149"
    },
    "_created_at": {
        "$date": "2015-10-27T22:07:38.356Z"
    },
    "_updated_at": {
        "$date": "2016-02-17T15:39:58.708Z"
    },
    "username": "ZS3fTmNAFIdXpoWs1ktoves22",
    "_session_token": "ai31jKTlpIpC90PH0zhqFVljz",
    "_perishable_token": "bb6FC0zqqyHs6wurLkaWIoMC6",
    "_hashed_password": "$2a$10$JVgszoW7FnHYlc9b4F.43.GulRvj4QSCuMZy1G7W7wX8bFE7VVj7u",
}

With a freshly created user, we got :

{
    "_id": "JHSQcHYFnt",
    "installationId": "7006684d-06da-4eeb-b3f7-b1fe517ee0f6",
    "_updated_at": {
        "$date": "2016-02-17T18:26:53.456Z"
    },
    "_created_at": {
        "$date": "2016-02-17T18:26:52.333Z"
    },
    "username": "d2bc1cfe0c2e4b7a4fd808bff46f4ab0",
    "_auth_data_facebook": {
        "id": "10153643454290149",
        "access_token": "CAAJ7Nw3qQHoBAKtSYzHPCoZGYrP4EgoMx95YKGb62IaUma3IHaVqua156GHiZAn02CaIgcYMpjQf0Y1bAgxff3RjhruznVUUZAzhECmD2rq9k2H3pW4OfQUQxmhBsl6qU3TKIDJeWnON8ZBZCnmknZBuKJC2TMlSyWs3yFI0cYjPyHSKiJEA79YVFIkZCXFffPoEfScXn25d7dN2ydNLXCOOehDNckZBtoxC6B9Y4ZBP0gAZDZD",
        "expiration_date": "2016-04-17T12:23:10.071Z"
    },
}

There is no _session_token key, _hashed_password, nor _perishable_token.

After FB login with the old user, PFSession function getCurrentSessionInBackgroundWithBlock returns an object :

<_Session: 0x14340d410, objectId: 5hAxRZMYOi, localId: (null)> {
    createdWith =     {
        action = login;
        authProvider = facebook;
    };
    expiresAt = "2017-02-17T19:28:59.577Z";
    installationId = "9db70065-5c9c-4f44-8ccb-2bed5685cf65";
    restricted = 0;
    sessionToken = "r:257d0ec08e2a9a9d7bfe70af4aa69bd9";
    user = "<PFUser: 0x13dead740, objectId: MBqzdt6vcn, localId: (null)>";
}

Just after fetching the user, the user session token changes to ai31jKTlpIpC90PH0zhqFVljz (ie the _session_token value) , and PFSession function getCurrentSessionInBackgroundWithBlock returns a null object

And as soon as I delete the _session_token key in the old user's document, everything works fine : the session token doesn't change after fetching a user.

weird :/

Should we update every document in our _User collection on mongolab and delete the _session_key property ?
thanks !

[flessard]

@absolutlabs 2.0.8 don't include last PR fix some issues whit the sessionToken. You need to wait for 2.0.9.

[absolutlabs]

everything works well with 2.1.2, problem is solved. thanks !