add tests for expired/invalid sessions

features/api/v1/tokens/sessions.feature

@@ -242,6 +242,31 @@ Feature: Token sessions
     And the response headers should not contain "Set-Cookie"
     And the current account should have 1 "session"
 
+  # expiry
+  Scenario: User reads their profile via session authentication
+    Given the current account is "test1"
+    And the current account has 1 "user"
+    And I am a user of account "test1"
+    And I authenticate with a session
+    When I send a GET request to "/accounts/test1/me"
+    Then the response status should be "200"
+
+  Scenario: User reads their profile via expired session authentication
+    Given the current account is "test1"
+    And the current account has 1 "user"
+    And I am a user of account "test1"
+    And I authenticate with an expired session
+    When I send a GET request to "/accounts/test1/me"
+    Then the response status should be "401"
+
+  Scenario: User creates a license via invalid session authentication
+    Given the current account is "test1"
+    And the current account has 1 "user"
+    And I am a user of account "test1"
+    And I authenticate with an invalid session
+    When I send a GET request to "/accounts/test1/me"
+    Then the response status should be "401"
+
   # envs
   Scenario: License validates itself via session authentication (isolated license in isolated env)
     Given the current account is "test1"

features/step_definitions/authentication_steps.rb

@@ -205,3 +205,52 @@
 
   header "Cookie", %(session_id=#{esc})
 end
+
+Given /^I authenticate with an expired session$/ do
+  @token   = @bearer.tokens.first_or_create!(account: @bearer.account, bearer: @bearer)
+  @session = @token.sessions.create!(
+    expiry: 1.hour.ago,
+    user_agent: 'keygen/test',
+    ip: '127.0.0.1',
+  )
+
+  app       = Rails.application
+  config    = app.config
+  keygen    = app.key_generator
+  salt      = config.action_dispatch.authenticated_encrypted_cookie_salt
+  cipher    = config.action_dispatch.encrypted_cookie_cipher
+  key_len   = ActiveSupport::MessageEncryptor.key_len(cipher)
+  key       = keygen.generate_key(salt, key_len)
+  encryptor = ActiveSupport::MessageEncryptor.new(key,
+    serializer: ActiveSupport::MessageEncryptor::NullSerializer,
+    cipher:,
+  )
+
+  dec = JSON.dump(@session.id)
+  enc = encryptor.encrypt_and_sign(dec, purpose: 'cookie.session_id')
+  esc = CGI.escape(enc)
+
+  header "Cookie", %(session_id=#{esc})
+end
+
+Given /^I authenticate with an invalid session$/ do
+  @token   = @bearer.tokens.first_or_create!(account: @bearer.account, bearer: @bearer)
+
+  app       = Rails.application
+  config    = app.config
+  keygen    = app.key_generator
+  salt      = config.action_dispatch.authenticated_encrypted_cookie_salt
+  cipher    = config.action_dispatch.encrypted_cookie_cipher
+  key_len   = ActiveSupport::MessageEncryptor.key_len(cipher)
+  key       = keygen.generate_key(salt, key_len)
+  encryptor = ActiveSupport::MessageEncryptor.new(key,
+    serializer: ActiveSupport::MessageEncryptor::NullSerializer,
+    cipher:,
+  )
+
+  dec = JSON.dump(SecureRandom.uuid)
+  enc = encryptor.encrypt_and_sign(dec, purpose: 'cookie.session_id')
+  esc = CGI.escape(enc)
+
+  header "Cookie", %(session_id=#{esc})
+end