FIX: don't expire old sessions when logging in

lib/auth/default_current_user_provider.rb

@@ -72,9 +72,14 @@ class Auth::DefaultCurrentUserProvider
   end
 
   def log_on_user(user, session, cookies)
-    user.auth_token = SecureRandom.hex(16)
+    legit_token = user.auth_token && user.auth_token.length == 32
-    user.auth_token_updated_at = Time.zone.now
+    expired_token = user.auth_token_updated_at && user.auth_token_updated_at < SiteSetting.maximum_session_age.hours.ago
-    user.save!
+
+    if !legit_token || expired_token
+      user.update_columns(auth_token: SecureRandom.hex(16),
+                          auth_token_updated_at: Time.zone.now)
+    end
+
     cookies[TOKEN_COOKIE] = { value: user.auth_token, httponly: true, expires: SiteSetting.maximum_session_age.hours.from_now }
     make_developer_admin(user)
     enable_bootstrap_mode(user)

spec/components/auth/default_current_user_provider_spec.rb

@@ -83,7 +83,26 @@ describe Auth::DefaultCurrentUserProvider do
     provider("/", "HTTP_COOKIE" => "_t=#{user.auth_token}").refresh_session(user, {}, cookies)
 
     expect(user.auth_token_updated_at - Time.now).to eq(0)
+  end
 
+  it "recycles existing auth_token correctly" do
+    SiteSetting.maximum_session_age = 3
+    user = Fabricate(:user)
+    provider('/').log_on_user(user, {}, {})
+
+    original_auth_token = user.auth_token
+
+    freeze_time 2.hours.from_now
+    provider('/').log_on_user(user, {}, {})
+
+    user.reload
+    expect(user.auth_token).to eq(original_auth_token)
+
+    freeze_time 10.hours.from_now
+
+    provider('/').log_on_user(user, {}, {})
+    user.reload
+    expect(user.auth_token).not_to eq(original_auth_token)
   end
 
   it "correctly expires session" do