FIX: Do not allow new session if one exists

mferrera · mferrera · commit 43250bfc54fa · 2025-05-23T09:13:26.000+02:00
diff --git a/src/fmu_settings_api/deps.py b/src/fmu_settings_api/deps.py
@@ -67,7 +67,9 @@ async def ensure_user_fmu_directory() -> UserFMUDirectory:
 UserFMUDirDep = Annotated[UserFMUDirectory, Depends(ensure_user_fmu_directory)]
 
 
-async def get_session(fmu_settings_session: str | None = Cookie(None)) -> Session:
+async def get_session(
+    fmu_settings_session: Annotated[str | None, Cookie()] = None,
+) -> Session:
     """Gets a session from the session manager."""
     if not fmu_settings_session:
         raise HTTPException(
diff --git a/src/fmu_settings_api/v1/main.py b/src/fmu_settings_api/v1/main.py
@@ -2,8 +2,9 @@
 
 import contextlib
 from pathlib import Path
+from typing import Annotated
 
-from fastapi import APIRouter, Depends, HTTPException, Response
+from fastapi import APIRouter, Cookie, Depends, HTTPException, Response
 from fmu.settings import find_nearest_fmu_directory
 from fmu.settings.models.user_config import UserConfig
 
@@ -40,16 +41,22 @@ async def v1_health_check() -> dict[str, str]:
     dependencies=[Depends(verify_auth_token)],
 )
 async def create_session(
-    response: Response, auth_token: AuthTokenDep, user_fmu_dir: UserFMUDirDep
+    response: Response,
+    auth_token: AuthTokenDep,
+    user_fmu_dir: UserFMUDirDep,
+    fmu_settings_session: Annotated[str | None, Cookie()] = None,
 ) -> SessionResponse:
     """Establishes a user session."""
+    if fmu_settings_session:
+        raise HTTPException(status_code=409, detail="A session already exists")
+
     try:
         session_id = await create_fmu_session(user_fmu_dir)
         response.set_cookie(
             key=settings.SESSION_COOKIE_KEY,
             value=session_id,
             httponly=True,
-            secure=True,
+            secure=False,
             samesite="lax",
         )
         config_dict = user_fmu_dir.config.load().model_dump()
diff --git a/tests/test_v1/test_create_session.py b/tests/test_v1/test_create_session.py
@@ -16,20 +16,20 @@
 from fmu_settings_api.models import FMUProject, SessionResponse
 from fmu_settings_api.session import ProjectSession, Session, SessionManager
 
-client = TestClient(app)
-
 ROUTE = "/api/v1/session"
 
 
 def test_get_session_no_token() -> None:
     """Tests the fmu routes require a session."""
+    client = TestClient(app)
     response = client.post(ROUTE)
     assert response.status_code == status.HTTP_403_FORBIDDEN, response.json()
     assert response.json() == {"detail": "Not authenticated"}
 
 
 def test_get_session_invalid_token() -> None:
     """Tests the fmu routes require a session."""
+    client = TestClient(app)
     bad_token = "no" * 32
     response = client.post(ROUTE, headers={settings.TOKEN_HEADER_NAME: bad_token})
     assert response.status_code == status.HTTP_401_UNAUTHORIZED
@@ -40,6 +40,7 @@ def test_get_session_no_token_does_not_create_user_fmu(
     tmp_path_mocked_home: Path,
 ) -> None:
     """Tests unauthenticated requests do not create a user .fmu."""
+    client = TestClient(app)
     response = client.post(ROUTE)
     assert response.status_code == status.HTTP_403_FORBIDDEN
     assert response.json() == {"detail": "Not authenticated"}
@@ -50,6 +51,7 @@ def test_get_session_invalid_token_does_not_create_user_fmu(
     tmp_path_mocked_home: Path,
 ) -> None:
     """Tests unauthorized requests do not create a user .fmu."""
+    client = TestClient(app)
     bad_token = "no" * 32
     response = client.post(ROUTE, headers={settings.TOKEN_HEADER_NAME: bad_token})
     assert response.status_code == status.HTTP_401_UNAUTHORIZED
@@ -61,6 +63,7 @@ def test_get_session_create_user_fmu_no_permissions(
     user_fmu_dir_no_permissions: Path, mock_token: str
 ) -> None:
     """Tests that user .fmu directory permissions errors return a 403."""
+    client = TestClient(app)
     response = client.post(ROUTE, headers={settings.TOKEN_HEADER_NAME: mock_token})
     assert response.status_code == status.HTTP_403_FORBIDDEN
     assert response.json() == {"detail": "Permission denied creating user .fmu"}
@@ -70,6 +73,7 @@ def test_get_session_creating_user_fmu_exists_as_a_file(
     tmp_path_mocked_home: Path, mock_token: str, monkeypatch: MonkeyPatch
 ) -> None:
     """Tests that a user .fmu as a file raises a 409."""
+    client = TestClient(app)
     (tmp_path_mocked_home / "home/.fmu").touch()
     monkeypatch.chdir(tmp_path_mocked_home)
     response = client.post(ROUTE, headers={settings.TOKEN_HEADER_NAME: mock_token})
@@ -83,6 +87,7 @@ def test_get_session_creating_user_unknown_failure(
     tmp_path_mocked_home: Path, mock_token: str, monkeypatch: MonkeyPatch
 ) -> None:
     """Tests that an unknown exception returns 500."""
+    client = TestClient(app)
     with patch(
         "fmu_settings_api.deps.init_user_fmu_directory",
         side_effect=Exception("foo"),
@@ -102,6 +107,7 @@ def test_get_session_creates_user_fmu(
     session_manager: SessionManager,
 ) -> None:
     """Tests that user .fmu is created when a session is created."""
+    client = TestClient(app)
     user_home = tmp_path_mocked_home / "home"
     with pytest.raises(
         FileNotFoundError, match=f"No .fmu directory found at {user_home}"
@@ -125,6 +131,7 @@ async def test_get_session_creates_session(
     session_manager: SessionManager,
 ) -> None:
     """Tests that user .fmu is created when a session is created."""
+    client = TestClient(app)
     user_home = tmp_path_mocked_home / "home"
     response = client.post(ROUTE, headers={settings.TOKEN_HEADER_NAME: mock_token})
     assert response.status_code == status.HTTP_200_OK, response.json()
@@ -147,6 +154,7 @@ async def test_get_session_finds_existing_user_fmu(
     session_manager: SessionManager,
 ) -> None:
     """Tests that an existing user .fmu directory is located with a session."""
+    client = TestClient(app)
     user_fmu_dir = init_user_fmu_directory()
 
     response = client.post(ROUTE, headers={settings.TOKEN_HEADER_NAME: mock_token})
@@ -169,6 +177,7 @@ async def test_get_session_from_project_path_returns_fmu_project(
     session_manager: SessionManager,
 ) -> None:
     """Tests that user .fmu is created when a session is created."""
+    client = TestClient(app)
     user_fmu_dir = init_user_fmu_directory()
     project_fmu_dir = init_fmu_directory(tmp_path_mocked_home)
     ert_model_path = tmp_path_mocked_home / "project/24.0.3/ert/model"
@@ -204,3 +213,29 @@ async def test_get_session_from_project_path_returns_fmu_project(
 
     assert session.project_fmu_directory.path == project_fmu_dir.path
     assert session.project_fmu_directory.config.load() == project_fmu_dir.config.load()
+
+
+async def test_getting_two_sessions_returns_error(
+    tmp_path_mocked_home: Path,
+    mock_token: str,
+    session_manager: SessionManager,
+) -> None:
+    """Tests that user .fmu is created when a session is created."""
+    client = TestClient(app)
+    user_home = tmp_path_mocked_home / "home"
+    response = client.post(ROUTE, headers={settings.TOKEN_HEADER_NAME: mock_token})
+    assert response.status_code == status.HTTP_200_OK, response.json()
+
+    user_fmu_dir = UserFMUDirectory()
+    assert user_fmu_dir.path == user_home / ".fmu"
+
+    session_id = response.cookies.get(settings.SESSION_COOKIE_KEY)
+    assert session_id is not None
+    session = await session_manager.get_session(session_id)
+    assert session is not None
+    assert isinstance(session, Session)
+    assert session.user_fmu_directory.path == user_fmu_dir.path
+
+    response = client.post(ROUTE, headers={settings.TOKEN_HEADER_NAME: mock_token})
+    assert response.status_code == status.HTTP_409_CONFLICT, response.json()
+    assert response.json()["detail"] == "A session already exists"
