From 014c613c939543388cddd35946bbba510a79115b Mon Sep 17 00:00:00 2001
From: Steven Nguyen <1477010+stnguyen90@users.noreply.github.com>
Date: Fri, 22 Nov 2024 21:52:27 +0000
Subject: [PATCH] fix: update secret returned from users.createSession()

1. Include at least 1 factor because the minumum number of factors
   required when mfa is disabled is 1.
2. Purge the cached user document to ensure the new session is included
   in subsequent requests for the user.
3. Fix the encoding of the secret to match other parts of the codebase.
---
 app/controllers/api/users.php          | 6 +++++-
 tests/e2e/Services/Users/UsersBase.php | 8 ++++++++
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/app/controllers/api/users.php b/app/controllers/api/users.php
index 42f7a59f54..bdb24572eb 100644
--- a/app/controllers/api/users.php
+++ b/app/controllers/api/users.php
@@ -1804,6 +1804,7 @@ App::post('/v1/users/:userId/sessions')
                 'provider' => Auth::SESSION_PROVIDER_SERVER,
                 'secret' => Auth::hash($secret), // One way hash encryption to protect DB leak
                 'userAgent' => $request->getUserAgent('UNKNOWN'),
+                'factors' => ['server'],
                 'ip' => $request->getIP(),
                 'countryCode' => ($record) ? \strtolower($record['country']['iso_code']) : '--',
                 'expire' => $expire,
@@ -1816,8 +1817,11 @@ App::post('/v1/users/:userId/sessions')
         $countryName = $locale->getText('countries.' . strtolower($session->getAttribute('countryCode')), $locale->getText('locale.country.unknown'));
 
         $session = $dbForProject->createDocument('sessions', $session);
+
+        $dbForProject->purgeCachedDocument('users', $user->getId());
+
         $session
-            ->setAttribute('secret', $secret)
+            ->setAttribute('secret', Auth::encodeSession($user->getId(), $secret))
             ->setAttribute('countryName', $countryName);
 
         $queueForEvents
diff --git a/tests/e2e/Services/Users/UsersBase.php b/tests/e2e/Services/Users/UsersBase.php
index bd0a8ef937..bbf9a5e2df 100644
--- a/tests/e2e/Services/Users/UsersBase.php
+++ b/tests/e2e/Services/Users/UsersBase.php
@@ -310,6 +310,14 @@ trait UsersBase
         $this->assertNotEmpty($session['secret']);
         $this->assertNotEmpty($session['expire']);
         $this->assertEquals('server', $session['provider']);
+
+        $response = $this->client->call(Client::METHOD_GET, '/account', [
+            'content-type' => 'application/json',
+            'x-appwrite-project' => $this->getProject()['$id'],
+            'x-appwrite-session' => $session['secret']
+        ]);
+
+        $this->assertEquals(200, $response['headers']['status-code']);
     }