public/owltide
1
0
Fork 0
Code Issues 2 Pull requests Projects Releases Packages 1 Wiki Activity Actions
owltide/server/database.ts

167 lines
4.6 KiB
TypeScript
Raw Normal View History

License under AGPL version 3 or later I firmly believe in free software. The application I'm making here have capabilities that I've not seen in any system. It presents itself as an opportunity to collaborate on a tool that serves the people rather than corporations. Whose incentives are to help people rather, not make the most money. And whose terms ensure that these freedoms and incentives cannot be taken back or subverted. I license this software under the AGPL.
2025-06-30 18:58:24 +02:00
/*
SPDX-FileCopyrightText: © 2025 Hornwitser <code@hornwitser.no>
SPDX-License-Identifier: AGPL-3.0-or-later
*/
Add debug route to delete the database To simplify development add a debug route to delete the database content so that it'll be re-generated to the demo schedule.
2025-05-31 23:10:25 +02:00
import { readFile, unlink, writeFile } from "node:fs/promises";
Refactor user storage and update Rename accounts to users to be consistent with the new naming scheme where account only referes to the logged in user of the session and implement live updates of users via a user store which listens for updates from the event stream.
2025-06-23 00:17:22 +02:00
import type { ApiSchedule, ApiSubscription, ApiUserType } from "~/shared/types/api";
import type { Id } from "~/shared/types/common";
Refactor code saving data Move the code dealing with saving and loading data to server/database to gather it all up into one place.
2025-03-05 18:41:47 +01:00
Rename AcountSession to ServerSession Start the work of clearly distingushing client side types, server side types and types shared over the API by renaming "AccountSession" and "Session" names used on the server to "ServerSession".
2025-06-09 16:51:05 +02:00
export interface ServerSession {
Refactor sessions to frequently rotate In order to minimise the window of opportunity to steal a session, automatically rotate it onto a new session on a frequent basis. This makes a session cookie older than the automatic rollover time less likely to grant access and more likely to be detected. Should a stolen session cookie get rotated while the attacker is using it, the user will be notificed that their session has been taken the next time they open the app if the user re-visits the website before the session is discarded.
2025-07-07 22:42:49 +02:00
id: Id,
access: ApiUserType,
accountId?: number,
Implement register and login with Telegram Add the concept of authentication methods that authenticate an account where using the telegram login widget is one such method. If a login is done with an authentication method that's not associated with any account the session ends up with the data from the authentication method in order to allow registering a new account with the authentication method. This has to be stored on the session as otherwise it wouldn't be possible to implement authentication methods such as OAuth2 that takes the user to a third-party site and then redirects the browser back.
2025-07-09 15:21:39 +02:00
authenticationProvider?: "telegram",
authenticationSlug?: string,
authenticationName?: string,
Separate rotation and expiry of sessions If a session is rotate in the middle of a server side rendering then some random portions of requests made on the server side will fail with a session taken error as the server is not going to update the cookies of the client during these requests. To avoid this pitfall extend the expiry time of sessions to be 10 seconds after the session has been rotated. This is accomplished by introducing a new timestamp on sessions called the rotateAt at time alongside the expiresAt time. Sessions used after rotateAt that haven't been rotated get rotated into a new session and the existing session gets the expiresAt time set to 10 seconds in the future. Sessions that are past the expiredAt time have no access. This makes the logic around session expiry simpler, and also makes it possible to audit when a session got rotated, and to mark sessions as expired without a chance to rotate to a new session without having to resort to a finished flag.
2025-07-09 14:54:54 +02:00
rotatesAtMs: number,
expiresAtMs?: number,
Refactor sessions to frequently rotate In order to minimise the window of opportunity to steal a session, automatically rotate it onto a new session on a frequent basis. This makes a session cookie older than the automatic rollover time less likely to grant access and more likely to be detected. Should a stolen session cookie get rotated while the attacker is using it, the user will be notificed that their session has been taken the next time they open the app if the user re-visits the website before the session is discarded.
2025-07-07 22:42:49 +02:00
discardAtMs: number,
successor?: Id,
Rename AcountSession to ServerSession Start the work of clearly distingushing client side types, server side types and types shared over the API by renaming "AccountSession" and "Session" names used on the server to "ServerSession".
2025-06-09 16:51:05 +02:00
};
Refactor user storage and update Rename accounts to users to be consistent with the new naming scheme where account only referes to the logged in user of the session and implement live updates of users via a user store which listens for updates from the event stream.
2025-06-23 00:17:22 +02:00
export interface ServerUser {
id: Id,
updatedAt: string,
deleted?: boolean,
type: ApiUserType,
name?: string,
interestedEventIds?: number[],
interestedEventSlotIds?: number[],
timezone?: string,
locale?: string,
}
Implement register and login with Telegram Add the concept of authentication methods that authenticate an account where using the telegram login widget is one such method. If a login is done with an authentication method that's not associated with any account the session ends up with the data from the authentication method in order to allow registering a new account with the authentication method. This has to be stored on the session as otherwise it wouldn't be possible to implement authentication methods such as OAuth2 that takes the user to a third-party site and then redirects the browser back.
2025-07-09 15:21:39 +02:00
export interface ServerAuthenticationMethod {
id: Id,
provider: "telegram",
slug: string,
name: string,
userId: Id,
}
Refactor code saving data Move the code dealing with saving and loading data to server/database to gather it all up into one place.
2025-03-05 18:41:47 +01:00
// For this demo I'm just storing the runtime data in JSON files. When making
// this into proper application this should be replaced with an actual database.
Pull JSON read file logic into a function
2025-03-07 12:25:10 +01:00
const schedulePath = "data/schedule.json";
const subscriptionsPath = "data/subscriptions.json";
Refactor user storage and update Rename accounts to users to be consistent with the new naming scheme where account only referes to the logged in user of the session and implement live updates of users via a user store which listens for updates from the event stream.
2025-06-23 00:17:22 +02:00
const usersPath = "data/users.json";
const nextUserIdPath = "data/next-user-id.json";
Basic account and session system Provide a basic account system with login and server side session store identified by a cookie. Upon successful login a signed session cookie is set by the server with the session stored on the server identifying which account it is logged in as. The client uses a shared useFetch on the session endpoint to identify if it's logged in and which account it is logged in as, and refreshes this when loggin in or out.
2025-03-07 12:41:57 +01:00
const sessionsPath = "data/sessions.json";
const nextSessionIdPath = "data/next-session-id.json";
Implement register and login with Telegram Add the concept of authentication methods that authenticate an account where using the telegram login widget is one such method. If a login is done with an authentication method that's not associated with any account the session ends up with the data from the authentication method in order to allow registering a new account with the authentication method. This has to be stored on the session as otherwise it wouldn't be possible to implement authentication methods such as OAuth2 that takes the user to a third-party site and then redirects the browser back.
2025-07-09 15:21:39 +02:00
const authMethodPath = "data/auth-method.json";
const nextAuthenticationMethodIdPath = "data/auth-method-id.json"
Refactor code saving data Move the code dealing with saving and loading data to server/database to gather it all up into one place.
2025-03-05 18:41:47 +01:00
Add debug route to delete the database To simplify development add a debug route to delete the database content so that it'll be re-generated to the demo schedule.
2025-05-31 23:10:25 +02:00
async function remove(path: string) {
try {
await unlink(path);
} catch (err: any) {
if (err.code !== "ENOENT") {
throw err;
}
}
}
Fix typo in deleteDatabase function
2025-06-23 12:48:34 +02:00
export async function deleteDatabase() {
Add debug route to delete the database To simplify development add a debug route to delete the database content so that it'll be re-generated to the demo schedule.
2025-05-31 23:10:25 +02:00
await remove(schedulePath);
await remove(subscriptionsPath);
Refactor user storage and update Rename accounts to users to be consistent with the new naming scheme where account only referes to the logged in user of the session and implement live updates of users via a user store which listens for updates from the event stream.
2025-06-23 00:17:22 +02:00
await remove(usersPath);
Add debug route to delete the database To simplify development add a debug route to delete the database content so that it'll be re-generated to the demo schedule.
2025-05-31 23:10:25 +02:00
await remove(sessionsPath);
}
Pull JSON read file logic into a function
2025-03-07 12:25:10 +01:00
async function readJson<T>(filePath: string, fallback: T) {
let data: T extends () => infer R ? R : T;
Refactor code saving data Move the code dealing with saving and loading data to server/database to gather it all up into one place.
2025-03-05 18:41:47 +01:00
try {
Pull JSON read file logic into a function
2025-03-07 12:25:10 +01:00
data = JSON.parse(await readFile(filePath, "utf-8"));
Refactor code saving data Move the code dealing with saving and loading data to server/database to gather it all up into one place.
2025-03-05 18:41:47 +01:00
} catch (err: any) {
if (err.code !== "ENOENT")
throw err;
Pull JSON read file logic into a function
2025-03-07 12:25:10 +01:00
data = typeof fallback === "function" ? fallback() : fallback;
Refactor code saving data Move the code dealing with saving and loading data to server/database to gather it all up into one place.
2025-03-05 18:41:47 +01:00
}
Pull JSON read file logic into a function
2025-03-07 12:25:10 +01:00
return data;
}
export async function readSchedule() {
Implement database administration Add routes and admin panel elements for creating a database backup, restoring from a backup, deleting the existing schedule, and replacing the database with the demo schedule. These server as crude ways to manage the data stored in the system.
2025-06-28 01:23:52 +02:00
return readJson(schedulePath, (): ApiSchedule => ({
id: 111,
updatedAt: new Date().toISOString(),
}));
Refactor code saving data Move the code dealing with saving and loading data to server/database to gather it all up into one place.
2025-03-05 18:41:47 +01:00
}
Refactor API types and sync logic Rename and refactor the types passed over the API to be based on an entity that's either living or a tombstone. A living entity has a deleted property that's either undefined or false, while a tombstone has a deleted property set to true. All entities have a numeric id and an updatedAt timestamp. To sync entities, an array of replacements are passed around. Living entities are replaced with tombstones when they're deleted. And tombstones are replaced with living entities when restored.
2025-06-11 21:05:17 +02:00
export async function writeSchedule(schedule: ApiSchedule) {
Refactor code saving data Move the code dealing with saving and loading data to server/database to gather it all up into one place.
2025-03-05 18:41:47 +01:00
await writeFile(schedulePath, JSON.stringify(schedule, undefined, "\t") + "\n", "utf-8");
}
export async function readSubscriptions() {
Refactor API types and sync logic Rename and refactor the types passed over the API to be based on an entity that's either living or a tombstone. A living entity has a deleted property that's either undefined or false, while a tombstone has a deleted property set to true. All entities have a numeric id and an updatedAt timestamp. To sync entities, an array of replacements are passed around. Living entities are replaced with tombstones when they're deleted. And tombstones are replaced with living entities when restored.
2025-06-11 21:05:17 +02:00
let subscriptions = await readJson<ApiSubscription[]>(subscriptionsPath, []);
Refactor subscription format Place the actual push subscription data into a push property on the subscription so that other properties can be added to it.
2025-03-07 12:30:39 +01:00
if (subscriptions.length && "keys" in subscriptions[0]) {
// Discard old format
subscriptions = [];
}
Pull JSON read file logic into a function
2025-03-07 12:25:10 +01:00
return subscriptions;
Refactor code saving data Move the code dealing with saving and loading data to server/database to gather it all up into one place.
2025-03-05 18:41:47 +01:00
}
Refactor API types and sync logic Rename and refactor the types passed over the API to be based on an entity that's either living or a tombstone. A living entity has a deleted property that's either undefined or false, while a tombstone has a deleted property set to true. All entities have a numeric id and an updatedAt timestamp. To sync entities, an array of replacements are passed around. Living entities are replaced with tombstones when they're deleted. And tombstones are replaced with living entities when restored.
2025-06-11 21:05:17 +02:00
export async function writeSubscriptions(subscriptions: ApiSubscription[]) {
Refactor code saving data Move the code dealing with saving and loading data to server/database to gather it all up into one place.
2025-03-05 18:41:47 +01:00
await writeFile(subscriptionsPath, JSON.stringify(subscriptions, undefined, "\t") + "\n", "utf-8");
}
Basic account and session system Provide a basic account system with login and server side session store identified by a cookie. Upon successful login a signed session cookie is set by the server with the session stored on the server identifying which account it is logged in as. The client uses a shared useFetch on the session endpoint to identify if it's logged in and which account it is logged in as, and refreshes this when loggin in or out.
2025-03-07 12:41:57 +01:00
Implement database administration Add routes and admin panel elements for creating a database backup, restoring from a backup, deleting the existing schedule, and replacing the database with the demo schedule. These server as crude ways to manage the data stored in the system.
2025-06-28 01:23:52 +02:00
export async function readNextUserId() {
return await readJson(nextUserIdPath, 0);
}
export async function writeNextUserId(nextId: number) {
await writeFile(nextUserIdPath, String(nextId), "utf-8");
}
Refactor user storage and update Rename accounts to users to be consistent with the new naming scheme where account only referes to the logged in user of the session and implement live updates of users via a user store which listens for updates from the event stream.
2025-06-23 00:17:22 +02:00
export async function nextUserId() {
let nextId = await readJson(nextUserIdPath, 0);
Add create account functionality
2025-03-07 23:53:57 +01:00
if (nextId === 0) {
Refactor user storage and update Rename accounts to users to be consistent with the new naming scheme where account only referes to the logged in user of the session and implement live updates of users via a user store which listens for updates from the event stream.
2025-06-23 00:17:22 +02:00
nextId = Math.max(...(await readUsers()).map(user => user.id), -1) + 1;
Add create account functionality
2025-03-07 23:53:57 +01:00
}
Refactor user storage and update Rename accounts to users to be consistent with the new naming scheme where account only referes to the logged in user of the session and implement live updates of users via a user store which listens for updates from the event stream.
2025-06-23 00:17:22 +02:00
await writeFile(nextUserIdPath, String(nextId + 1), "utf-8");
Add create account functionality
2025-03-07 23:53:57 +01:00
return nextId;
}
Refactor user storage and update Rename accounts to users to be consistent with the new naming scheme where account only referes to the logged in user of the session and implement live updates of users via a user store which listens for updates from the event stream.
2025-06-23 00:17:22 +02:00
export async function readUsers() {
Implement database administration Add routes and admin panel elements for creating a database backup, restoring from a backup, deleting the existing schedule, and replacing the database with the demo schedule. These server as crude ways to manage the data stored in the system.
2025-06-28 01:23:52 +02:00
return await readJson(usersPath, (): ServerUser[] => []);
Basic account and session system Provide a basic account system with login and server side session store identified by a cookie. Upon successful login a signed session cookie is set by the server with the session stored on the server identifying which account it is logged in as. The client uses a shared useFetch on the session endpoint to identify if it's logged in and which account it is logged in as, and refreshes this when loggin in or out.
2025-03-07 12:41:57 +01:00
}
Refactor user storage and update Rename accounts to users to be consistent with the new naming scheme where account only referes to the logged in user of the session and implement live updates of users via a user store which listens for updates from the event stream.
2025-06-23 00:17:22 +02:00
export async function writeUsers(users: ServerUser[]) {
await writeFile(usersPath, JSON.stringify(users, undefined, "\t") + "\n", "utf-8");
Basic account and session system Provide a basic account system with login and server side session store identified by a cookie. Upon successful login a signed session cookie is set by the server with the session stored on the server identifying which account it is logged in as. The client uses a shared useFetch on the session endpoint to identify if it's logged in and which account it is logged in as, and refreshes this when loggin in or out.
2025-03-07 12:41:57 +01:00
}
Implement database administration Add routes and admin panel elements for creating a database backup, restoring from a backup, deleting the existing schedule, and replacing the database with the demo schedule. These server as crude ways to manage the data stored in the system.
2025-06-28 01:23:52 +02:00
export async function readNextSessionId() {
return await readJson(nextSessionIdPath, 0);
}
export async function writeNextSessionId(nextId: number) {
await writeFile(nextSessionIdPath, String(nextId), "utf-8");
}
Basic account and session system Provide a basic account system with login and server side session store identified by a cookie. Upon successful login a signed session cookie is set by the server with the session stored on the server identifying which account it is logged in as. The client uses a shared useFetch on the session endpoint to identify if it's logged in and which account it is logged in as, and refreshes this when loggin in or out.
2025-03-07 12:41:57 +01:00
export async function nextSessionId() {
const nextId = await readJson(nextSessionIdPath, 0);
await writeFile(nextSessionIdPath, String(nextId + 1), "utf-8");
return nextId;
}
export async function readSessions() {
Refactor sessions to frequently rotate In order to minimise the window of opportunity to steal a session, automatically rotate it onto a new session on a frequent basis. This makes a session cookie older than the automatic rollover time less likely to grant access and more likely to be detected. Should a stolen session cookie get rotated while the attacker is using it, the user will be notificed that their session has been taken the next time they open the app if the user re-visits the website before the session is discarded.
2025-07-07 22:42:49 +02:00
return readJson<ServerSession[]>(sessionsPath, [])
Basic account and session system Provide a basic account system with login and server side session store identified by a cookie. Upon successful login a signed session cookie is set by the server with the session stored on the server identifying which account it is logged in as. The client uses a shared useFetch on the session endpoint to identify if it's logged in and which account it is logged in as, and refreshes this when loggin in or out.
2025-03-07 12:41:57 +01:00
}
Rename AcountSession to ServerSession Start the work of clearly distingushing client side types, server side types and types shared over the API by renaming "AccountSession" and "Session" names used on the server to "ServerSession".
2025-06-09 16:51:05 +02:00
export async function writeSessions(sessions: ServerSession[]) {
Refactor sessions to frequently rotate In order to minimise the window of opportunity to steal a session, automatically rotate it onto a new session on a frequent basis. This makes a session cookie older than the automatic rollover time less likely to grant access and more likely to be detected. Should a stolen session cookie get rotated while the attacker is using it, the user will be notificed that their session has been taken the next time they open the app if the user re-visits the website before the session is discarded.
2025-07-07 22:42:49 +02:00
await writeFile(sessionsPath, JSON.stringify(sessions, undefined, "\t") + "\n", "utf-8");
Basic account and session system Provide a basic account system with login and server side session store identified by a cookie. Upon successful login a signed session cookie is set by the server with the session stored on the server identifying which account it is logged in as. The client uses a shared useFetch on the session endpoint to identify if it's logged in and which account it is logged in as, and refreshes this when loggin in or out.
2025-03-07 12:41:57 +01:00
}
Implement register and login with Telegram Add the concept of authentication methods that authenticate an account where using the telegram login widget is one such method. If a login is done with an authentication method that's not associated with any account the session ends up with the data from the authentication method in order to allow registering a new account with the authentication method. This has to be stored on the session as otherwise it wouldn't be possible to implement authentication methods such as OAuth2 that takes the user to a third-party site and then redirects the browser back.
2025-07-09 15:21:39 +02:00
export async function nextAuthenticationMethodId() {
const nextId = await readJson(nextAuthenticationMethodIdPath, 0);
await writeFile(nextAuthenticationMethodIdPath, String(nextId + 1), "utf-8");
return nextId;
}
export async function readAuthenticationMethods() {
return readJson<ServerAuthenticationMethod[]>(authMethodPath, [])
}
export async function writeAuthenticationMethods(authMethods: ServerAuthenticationMethod[]) {
await writeFile(authMethodPath, JSON.stringify(authMethods, undefined, "\t") + "\n", "utf-8");
}
Reference in a new issue Copy permalink