From b5fbff947ba7d0b82f555c9b2ea062c2ee068ba5 Mon Sep 17 00:00:00 2001
From: Sam <sam.saffron@gmail.com>
Date: Tue, 26 Jul 2016 11:37:41 +1000
Subject: [PATCH] FIX: don't expire old sessions when logging in

---
 lib/auth/default_current_user_provider.rb     | 11 ++++++++---
 .../default_current_user_provider_spec.rb     | 19 +++++++++++++++++++
 2 files changed, 27 insertions(+), 3 deletions(-)

diff --git a/lib/auth/default_current_user_provider.rb b/lib/auth/default_current_user_provider.rb
index 9562314b8..84ef64dc9 100644
--- a/lib/auth/default_current_user_provider.rb
+++ b/lib/auth/default_current_user_provider.rb
@@ -72,9 +72,14 @@ class Auth::DefaultCurrentUserProvider
   end
 
   def log_on_user(user, session, cookies)
-    user.auth_token = SecureRandom.hex(16)
-    user.auth_token_updated_at = Time.zone.now
-    user.save!
+    legit_token = user.auth_token && user.auth_token.length == 32
+    expired_token = user.auth_token_updated_at && user.auth_token_updated_at < SiteSetting.maximum_session_age.hours.ago
+
+    if !legit_token || expired_token
+      user.update_columns(auth_token: SecureRandom.hex(16),
+                          auth_token_updated_at: Time.zone.now)
+    end
+
     cookies[TOKEN_COOKIE] = { value: user.auth_token, httponly: true, expires: SiteSetting.maximum_session_age.hours.from_now }
     make_developer_admin(user)
     enable_bootstrap_mode(user)
diff --git a/spec/components/auth/default_current_user_provider_spec.rb b/spec/components/auth/default_current_user_provider_spec.rb
index 45e29c05c..14991eafa 100644
--- a/spec/components/auth/default_current_user_provider_spec.rb
+++ b/spec/components/auth/default_current_user_provider_spec.rb
@@ -83,7 +83,26 @@ describe Auth::DefaultCurrentUserProvider do
     provider("/", "HTTP_COOKIE" => "_t=#{user.auth_token}").refresh_session(user, {}, cookies)
 
     expect(user.auth_token_updated_at - Time.now).to eq(0)
+  end
 
+  it "recycles existing auth_token correctly" do
+    SiteSetting.maximum_session_age = 3
+    user = Fabricate(:user)
+    provider('/').log_on_user(user, {}, {})
+
+    original_auth_token = user.auth_token
+
+    freeze_time 2.hours.from_now
+    provider('/').log_on_user(user, {}, {})
+
+    user.reload
+    expect(user.auth_token).to eq(original_auth_token)
+
+    freeze_time 10.hours.from_now
+
+    provider('/').log_on_user(user, {}, {})
+    user.reload
+    expect(user.auth_token).not_to eq(original_auth_token)
   end
 
   it "correctly expires session" do