LG-12214: Refresh device cookie on every user event

app/services/user_event_creator.rb

@@ -102,19 +102,13 @@ def create_event_for_new_device(event_type:, user:, disavowal_token:)
   def create_device_for_user(user)
     cookie_uuid = cookies[:device].presence || SecureRandom.hex(COOKIE_LENGTH / 2)
 
-    device = Device.create!(
+    Device.create!(
       user: user,
       user_agent: request.user_agent.to_s,
       cookie_uuid: cookie_uuid,
       last_used_at: Time.zone.now,
       last_ip: request.remote_ip,
     )
-    assign_device_cookie(device.cookie_uuid)
-    device
-  end
-
-  def assign_device_cookie(device_cookie)
-    cookies.permanent[:device] = device_cookie unless device_cookie == cookies[:device]
   end
 
   def send_new_device_notification(event:, device:, disavowal_token:)
@@ -134,6 +128,8 @@ def create_event_for_device(event_type:, user:, device:, disavowal_token: nil)
       disavowal_token_fingerprint: disavowal_token_fingerprint,
     )
 
+    cookies.permanent[:device] = device.cookie_uuid if device
+
     [event, disavowal_token]
   end
 

spec/controllers/users/sessions_controller_spec.rb

@@ -65,6 +65,31 @@
       expect(subject.session[:sign_in_flow]).to eq(:sign_in)
     end
 
+    it 'saves and refreshes cookie for device for successful authentication' do
+      user = create(:user, :fully_registered)
+
+      first_expires = nil
+
+      freeze_time do
+        post :create, params: { user: { email: user.email, password: user.password } }
+
+        device_cookie = response.headers['set-cookie'].find { |c| c.start_with?('device=') }
+        first_expires = CGI::Cookie.parse(device_cookie)['expires'].first
+        expect(Time.zone.parse(first_expires)).to be >= 20.years.from_now
+      end
+
+      sign_out(user)
+      expect(cookies[:device]).to be_present
+
+      travel_to 10.minutes.from_now do
+        post :create, params: { user: { email: user.email, password: user.password } }
+
+        device_cookie = response.headers['set-cookie'].find { |c| c.start_with?('device=') }
+        second_expires = CGI::Cookie.parse(device_cookie)['expires'].first
+        expect(Time.zone.parse(second_expires)).to be >= Time.zone.parse(first_expires) + 10.minutes
+      end
+    end
+
     it 'tracks the unsuccessful authentication for existing user' do
       user = create(:user, :fully_registered)
 

spec/services/user_event_creator_spec.rb

@@ -5,11 +5,9 @@
   let(:ip_address) { '4.4.4.4' }
   let(:existing_device_cookie) { 'existing_device_cookie' }
   let(:cookie_jar) do
-    {
-      device: existing_device_cookie,
-    }.with_indifferent_access.tap do |cookie_jar|
-      allow(cookie_jar).to receive(:permanent).and_return({})
-    end
+    cookie_jar = ActionDispatch::Cookies::CookieJar.new(Rails.configuration.action_dispatch)
+    cookie_jar.permanent[:device] = existing_device_cookie if existing_device_cookie
+    cookie_jar
   end
   let(:request) do
     double(
@@ -41,6 +39,12 @@
         expect(device.last_ip).to eq(ip_address)
         expect(device.last_used_at).to be_within(1).of(Time.zone.now)
       end
+
+      it 'refreshes the permanent cookie' do
+        expect(cookie_jar.permanent).to receive(:[]=).with(:device, existing_device_cookie)
+
+        subject.create_user_event(event_type, user)
+      end
     end
 
     context 'when a device exists that is not associated with the user' do
@@ -95,6 +99,12 @@
 
           expect(event.device.cookie_uuid.length).to eq(UserEventCreator::COOKIE_LENGTH)
         end
+
+        it 'saves the cookie permanently' do
+          expect { subject.create_user_event(event_type, user) }.to change { cookie_jar[:device] }.
+            from(nil).
+            to(lambda { |value| value == Device.last.cookie_uuid })
+        end
       end
 
       it 'alerts the user if they have other devices' do