Set global lock for session renewal and persistent session token fetch

Author: danschultzer

CHANGELOG.md

@@ -2,6 +2,11 @@
 
 ## v1.0.18 (TBA)
 
+### Enhancements
+
+* [`Pow.Plug.Session`] Now sets a global lock when renewing the session
+* [`PowPersistentSession.Plug.Cookie`] Now sets a global lock when authenticating the user
+
 ### Bug fixes
 
 * [`Pow.Phoenix.Routes`] Fixed bug where callback route methods is not using the overridden method

lib/extensions/persistent_session/plug/cookie.ex

@@ -174,9 +174,11 @@ defmodule PowPersistentSession.Plug.Cookie do
   If a persistent session cookie exists, it'll fetch the credentials from the
   persistent session cache.
 
-  If credentials was fetched successfully, the token in the cache is deleted, a
-  new session is created, and `create/2` is called to create a new persistent
-  session cookie.
+  If credentials was fetched successfully, a global lock is set and the token
+  in the cache is deleted, a new session is created, and `create/2` is called
+  to create a new persistent session cookie. If setting the lock failed, the
+  user will fetched will be set for the `conn` with
+  `Pow.Plug.assign_current_user/3`.
 
   If a `:session_metadata` keyword list is fetched from the persistent session
   metadata, all the values will be merged into the private
@@ -205,9 +207,7 @@ defmodule PowPersistentSession.Plug.Cookie do
         conn
 
       {token, {user, metadata}} ->
-        expire_token_in_store(token, config)
-
-        auth_user(conn, user, metadata, config)
+        lock_auth_user(conn, token, user, metadata, config)
     end
   end
 
@@ -228,6 +228,18 @@ defmodule PowPersistentSession.Plug.Cookie do
   defp filter_invalid!([id: _value] = clauses), do: clauses
   defp filter_invalid!(clauses), do: raise "Invalid get_by clauses stored: #{inspect clauses}"
 
+  defp lock_auth_user(conn, token, user, metadata, config) do
+    nodes = Node.list() ++ [node()]
+
+    case :global.set_lock({[__MODULE__, token], self()}, nodes, 0) do
+      true ->
+        auth_user(conn, user, metadata, config)
+
+      false ->
+        Plug.assign_current_user(conn, user, config)
+    end
+  end
+
   defp auth_user(conn, user, metadata, config) do
     conn
     |> update_persistent_session_metadata(metadata)

lib/pow/plug/session.ex

@@ -115,8 +115,9 @@ defmodule Pow.Plug.Session do
 
   This will fetch a session from the credentials cache with the session id
   fetched through `Plug.Conn.get_session/2` session. If the credentials are
-  stale (timestamp is older than the `:session_ttl_renewal` value), the session
-  will be regenerated with `create/3`.
+  stale (timestamp is older than the `:session_ttl_renewal` value), a global
+  lock will be set, and the session will be regenerated with `create/3`.
+  Nothing happens if setting the lock failed.
 
   The metadata of the session will be assigned as a private
   `:pow_session_metadata` key in the conn so it may be used in `create/3`.
@@ -228,17 +229,26 @@ defmodule Pow.Plug.Session do
   defp convert_old_session_value(any), do: any
 
   defp handle_fetched_session_value({_session_id, :not_found}, conn, _config), do: {conn, nil}
-  defp handle_fetched_session_value({_session_id, {user, metadata}}, conn, config) when is_list(metadata) do
+  defp handle_fetched_session_value({session_id, {user, metadata}}, conn, config) when is_list(metadata) do
     conn
     |> Conn.put_private(:pow_session_metadata, metadata)
-    |> renew_stale_session(user, metadata, config)
+    |> renew_stale_session(session_id, user, metadata, config)
   end
 
-  defp renew_stale_session(conn, user, metadata, config) do
+  defp renew_stale_session(conn, session_id, user, metadata, config) do
     metadata
     |> Keyword.get(:inserted_at)
     |> session_stale?(config)
     |> case do
+      true  -> lock_create(conn, session_id, user, config)
+      false -> {conn, user}
+    end
+  end
+
+  defp lock_create(conn, session_id, user, config) do
+    nodes = Node.list() ++ [node()]
+
+    case :global.set_lock({[__MODULE__, session_id], self()}, nodes, 0) do
       true  -> create(conn, user, config)
       false -> {conn, user}
     end

test/extensions/persistent_session/plug/cookie_test.exs

@@ -58,7 +58,7 @@ defmodule PowPersistentSession.Plug.CookieTest do
     assert Plug.current_user(conn_1) == user
     assert %{value: _id, max_age: @max_age, path: "/"} = conn_1.resp_cookies[@cookie_key]
 
-    refute Plug.current_user(conn_2)
+    assert Plug.current_user(conn_2) == user
     refute conn_2.resp_cookies[@cookie_key]
   end
 

test/pow/plug/session_test.exs

@@ -146,7 +146,7 @@ defmodule Pow.Plug.SessionTest do
     refute get_session_id(conn_1) == session_id
     assert {@user, _metadata} = CredentialsCache.get(@store_config, get_session_id(conn_1))
 
-    refute Plug.current_user(conn_2)
+    assert Plug.current_user(conn_2) == @user
     refute conn_2.resp_cookies["foobar"]
     assert get_session_id(conn_2) == session_id
     assert CredentialsCache.get(@store_config, get_session_id(conn_2)) == :not_found