From 64d545d8abad04984f7bc94e43f1702b209f6bee Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Oliver=20G=C3=BCnther?= <mail@oliverguenther.de>
Date: Tue, 20 Feb 2024 22:03:18 +0100
Subject: [PATCH 1/2] Do not write or update sessions or their cookies for API
 access

Accessing the API currently does not, and should not update the user's session.
Still, currently we're using it to access the session for authenticating the user.

As a result, the session is loaded and we're currently outputting a Set-Cookie header as well as
writing the user session on every API request.

By using session_options[:skip], we can tell rack to avoid saving the session after the request
---
 lib/api/root_api.rb | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/lib/api/root_api.rb b/lib/api/root_api.rb
index 60ed908f7927..59ef9f4ed17f 100644
--- a/lib/api/root_api.rb
+++ b/lib/api/root_api.rb
@@ -90,6 +90,12 @@ def allowed_content_types
         %w(application/json application/hal+json)
       end
 
+      # Prevent committing the session
+      # This prevents an unnecessary write when accessing the API
+      def skip_session_write
+        request.session_options[:skip] = true
+      end
+
       def enforce_content_type
         # Content-Type is not present in GET or DELETE requests
         return if request.get? || request.delete?
@@ -328,6 +334,7 @@ def self.authentication_scope(sym)
       authenticate
       set_localization
       enforce_content_type
+      skip_session_write
       ::OpenProject::Appsignal.tag_request(request:)
     end
   end

From 6b0a219ba00f595eac1a159e75d40b7fa9275d03 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Oliver=20G=C3=BCnther?= <o.guenther@openproject.com>
Date: Wed, 21 Feb 2024 20:21:54 +0100
Subject: [PATCH 2/2] Update lib/api/root_api.rb

Co-authored-by: Ivan Kuchin <i.kuchin@openproject.com>
---
 lib/api/root_api.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/api/root_api.rb b/lib/api/root_api.rb
index 59ef9f4ed17f..7d11031b367e 100644
--- a/lib/api/root_api.rb
+++ b/lib/api/root_api.rb
@@ -331,10 +331,10 @@ def self.authentication_scope(sym)
 
     # run authentication before each request
     after_validation do
+      skip_session_write
       authenticate
       set_localization
       enforce_content_type
-      skip_session_write
       ::OpenProject::Appsignal.tag_request(request:)
     end
   end