owltide/server/utils/session.ts

/*
	SPDX-FileCopyrightText: © 2025 Hornwitser <code@hornwitser.no>
	SPDX-License-Identifier: AGPL-3.0-or-later
*/
import type { H3Event } from "h3";
import { nextSessionId, readSessions, readSubscriptions, type ServerSession, type ServerUser, writeSessions, writeSubscriptions } from "~/server/database";

const oneYearSeconds = 365 * 24 * 60 * 60;

async function removeSessionSubscription(sessionId: number) {
	const subscriptions = await readSubscriptions();
	const index = subscriptions.findIndex(subscription => subscription.sessionId === sessionId);
	if (index !== -1) {
		subscriptions.splice(index, 1);
		await writeSubscriptions(subscriptions);
	}
}

async function clearServerSessionInternal(event: H3Event, sessions: ServerSession[]) {
	const existingSessionCookie = await getSignedCookie(event, "session");
	if (existingSessionCookie) {
		const sessionId = parseInt(existingSessionCookie, 10);
		const sessionIndex = sessions.findIndex(session => session.id === sessionId);
		if (sessionIndex !== -1) {
			sessions.splice(sessionIndex, 1);
			await removeSessionSubscription(sessionId);
			return true;
		}
	}
	return false;
}

export async function clearServerSession(event: H3Event) {
	const sessions = await readSessions();
	if (await clearServerSessionInternal(event, sessions)) {
		await writeSessions(sessions);
	}
	deleteCookie(event, "session");
}

export async function setServerSession(event: H3Event, account: ServerUser) {
	const sessions = await readSessions();
	await clearServerSessionInternal(event, sessions);

	const newSession: ServerSession = {
		account,
		id: await nextSessionId(),
	};

	sessions.push(newSession);
	await writeSessions(sessions);
	await setSignedCookie(event, "session", String(newSession.id), oneYearSeconds)
}

export async function refreshServerSession(event: H3Event, session: ServerSession) {
	await setSignedCookie(event, "session", String(session.id), oneYearSeconds)
}

export async function getServerSession(event: H3Event) {
	const sessionCookie = await getSignedCookie(event, "session");
	if (sessionCookie) {
		const sessionId = parseInt(sessionCookie, 10);
		const sessions = await readSessions();
		return sessions.find(session => session.id === sessionId);
	}
}

export async function requireServerSession(event: H3Event) {
	const session = await getServerSession(event);
	if (!session)
		throw createError({
			status: 401,
			message: "Account session required",
		});
	return session;
}

export async function requireServerSessionWithAdmin(event: H3Event) {
	const session = await requireServerSession(event);
	if (session.account.type !== "admin") {
		throw createError({
			statusCode: 403,
			statusMessage: "Forbidden",
		});
	}
	return session;
}
License under AGPL version 3 or later I firmly believe in free software. The application I'm making here have capabilities that I've not seen in any system. It presents itself as an opportunity to collaborate on a tool that serves the people rather than corporations. Whose incentives are to help people rather, not make the most money. And whose terms ensure that these freedoms and incentives cannot be taken back or subverted. I license this software under the AGPL. 2025-06-30 18:58:24 +02:00			`/*`
			`SPDX-FileCopyrightText: © 2025 Hornwitser <code@hornwitser.no>`
			`SPDX-License-Identifier: AGPL-3.0-or-later`
			`*/`
Basic account and session system Provide a basic account system with login and server side session store identified by a cookie. Upon successful login a signed session cookie is set by the server with the session stored on the server identifying which account it is logged in as. The client uses a shared useFetch on the session endpoint to identify if it's logged in and which account it is logged in as, and refreshes this when loggin in or out. 2025-03-07 12:41:57 +01:00			`import type { H3Event } from "h3";`
Refactor user storage and update Rename accounts to users to be consistent with the new naming scheme where account only referes to the logged in user of the session and implement live updates of users via a user store which listens for updates from the event stream. 2025-06-23 00:17:22 +02:00			`import { nextSessionId, readSessions, readSubscriptions, type ServerSession, type ServerUser, writeSessions, writeSubscriptions } from "~/server/database";`
Basic account and session system Provide a basic account system with login and server side session store identified by a cookie. Upon successful login a signed session cookie is set by the server with the session stored on the server identifying which account it is logged in as. The client uses a shared useFetch on the session endpoint to identify if it's logged in and which account it is logged in as, and refreshes this when loggin in or out. 2025-03-07 12:41:57 +01:00
Make session cookie permament Set a max age for the session cookie to prevent it from expiring when the browser is closed. To prevent the age limit from being being reached the session cookie is refreshed every time the session is loaded. This should fix login being lost when the browser is stopped. 2025-03-11 16:30:51 +01:00			`const oneYearSeconds = 365 * 24 * 60 * 60;`

Tie push subscriptions to current session If a user logs out from a device the expectation should be that device no longer having any association with the user's account. Any existing push notifications should thefore be removed on server. For this reason tie push notifications to a session, and remove them when the session is deleted. 2025-03-07 14:11:07 +01:00			`async function removeSessionSubscription(sessionId: number) {`
			`const subscriptions = await readSubscriptions();`
			`const index = subscriptions.findIndex(subscription => subscription.sessionId === sessionId);`
			`if (index !== -1) {`
			`subscriptions.splice(index, 1);`
			`await writeSubscriptions(subscriptions);`
			`}`
			`}`

Rename AcountSession to ServerSession Start the work of clearly distingushing client side types, server side types and types shared over the API by renaming "AccountSession" and "Session" names used on the server to "ServerSession". 2025-06-09 16:51:05 +02:00			`async function clearServerSessionInternal(event: H3Event, sessions: ServerSession[]) {`
Basic account and session system Provide a basic account system with login and server side session store identified by a cookie. Upon successful login a signed session cookie is set by the server with the session stored on the server identifying which account it is logged in as. The client uses a shared useFetch on the session endpoint to identify if it's logged in and which account it is logged in as, and refreshes this when loggin in or out. 2025-03-07 12:41:57 +01:00			`const existingSessionCookie = await getSignedCookie(event, "session");`
			`if (existingSessionCookie) {`
			`const sessionId = parseInt(existingSessionCookie, 10);`
			`const sessionIndex = sessions.findIndex(session => session.id === sessionId);`
			`if (sessionIndex !== -1) {`
			`sessions.splice(sessionIndex, 1);`
Tie push subscriptions to current session If a user logs out from a device the expectation should be that device no longer having any association with the user's account. Any existing push notifications should thefore be removed on server. For this reason tie push notifications to a session, and remove them when the session is deleted. 2025-03-07 14:11:07 +01:00			`await removeSessionSubscription(sessionId);`
Basic account and session system Provide a basic account system with login and server side session store identified by a cookie. Upon successful login a signed session cookie is set by the server with the session stored on the server identifying which account it is logged in as. The client uses a shared useFetch on the session endpoint to identify if it's logged in and which account it is logged in as, and refreshes this when loggin in or out. 2025-03-07 12:41:57 +01:00			`return true;`
			`}`
			`}`
			`return false;`
			`}`

Rename AcountSession to ServerSession Start the work of clearly distingushing client side types, server side types and types shared over the API by renaming "AccountSession" and "Session" names used on the server to "ServerSession". 2025-06-09 16:51:05 +02:00			`export async function clearServerSession(event: H3Event) {`
Basic account and session system Provide a basic account system with login and server side session store identified by a cookie. Upon successful login a signed session cookie is set by the server with the session stored on the server identifying which account it is logged in as. The client uses a shared useFetch on the session endpoint to identify if it's logged in and which account it is logged in as, and refreshes this when loggin in or out. 2025-03-07 12:41:57 +01:00			`const sessions = await readSessions();`
Rename AcountSession to ServerSession Start the work of clearly distingushing client side types, server side types and types shared over the API by renaming "AccountSession" and "Session" names used on the server to "ServerSession". 2025-06-09 16:51:05 +02:00			`if (await clearServerSessionInternal(event, sessions)) {`
Basic account and session system Provide a basic account system with login and server side session store identified by a cookie. Upon successful login a signed session cookie is set by the server with the session stored on the server identifying which account it is logged in as. The client uses a shared useFetch on the session endpoint to identify if it's logged in and which account it is logged in as, and refreshes this when loggin in or out. 2025-03-07 12:41:57 +01:00			`await writeSessions(sessions);`
			`}`
Use deleteCookie to remove session cookie 2025-03-08 00:36:10 +01:00			`deleteCookie(event, "session");`
Basic account and session system Provide a basic account system with login and server side session store identified by a cookie. Upon successful login a signed session cookie is set by the server with the session stored on the server identifying which account it is logged in as. The client uses a shared useFetch on the session endpoint to identify if it's logged in and which account it is logged in as, and refreshes this when loggin in or out. 2025-03-07 12:41:57 +01:00			`}`

Refactor user storage and update Rename accounts to users to be consistent with the new naming scheme where account only referes to the logged in user of the session and implement live updates of users via a user store which listens for updates from the event stream. 2025-06-23 00:17:22 +02:00			`export async function setServerSession(event: H3Event, account: ServerUser) {`
Basic account and session system Provide a basic account system with login and server side session store identified by a cookie. Upon successful login a signed session cookie is set by the server with the session stored on the server identifying which account it is logged in as. The client uses a shared useFetch on the session endpoint to identify if it's logged in and which account it is logged in as, and refreshes this when loggin in or out. 2025-03-07 12:41:57 +01:00			`const sessions = await readSessions();`
Rename AcountSession to ServerSession Start the work of clearly distingushing client side types, server side types and types shared over the API by renaming "AccountSession" and "Session" names used on the server to "ServerSession". 2025-06-09 16:51:05 +02:00			`await clearServerSessionInternal(event, sessions);`
Basic account and session system Provide a basic account system with login and server side session store identified by a cookie. Upon successful login a signed session cookie is set by the server with the session stored on the server identifying which account it is logged in as. The client uses a shared useFetch on the session endpoint to identify if it's logged in and which account it is logged in as, and refreshes this when loggin in or out. 2025-03-07 12:41:57 +01:00
Rename AcountSession to ServerSession Start the work of clearly distingushing client side types, server side types and types shared over the API by renaming "AccountSession" and "Session" names used on the server to "ServerSession". 2025-06-09 16:51:05 +02:00			`const newSession: ServerSession = {`
Refactor user storage and update Rename accounts to users to be consistent with the new naming scheme where account only referes to the logged in user of the session and implement live updates of users via a user store which listens for updates from the event stream. 2025-06-23 00:17:22 +02:00			`account,`
Basic account and session system Provide a basic account system with login and server side session store identified by a cookie. Upon successful login a signed session cookie is set by the server with the session stored on the server identifying which account it is logged in as. The client uses a shared useFetch on the session endpoint to identify if it's logged in and which account it is logged in as, and refreshes this when loggin in or out. 2025-03-07 12:41:57 +01:00			`id: await nextSessionId(),`
			`};`

			`sessions.push(newSession);`
			`await writeSessions(sessions);`
Make session cookie permament Set a max age for the session cookie to prevent it from expiring when the browser is closed. To prevent the age limit from being being reached the session cookie is refreshed every time the session is loaded. This should fix login being lost when the browser is stopped. 2025-03-11 16:30:51 +01:00			`await setSignedCookie(event, "session", String(newSession.id), oneYearSeconds)`
			`}`

Rename AcountSession to ServerSession Start the work of clearly distingushing client side types, server side types and types shared over the API by renaming "AccountSession" and "Session" names used on the server to "ServerSession". 2025-06-09 16:51:05 +02:00			`export async function refreshServerSession(event: H3Event, session: ServerSession) {`
Make session cookie permament Set a max age for the session cookie to prevent it from expiring when the browser is closed. To prevent the age limit from being being reached the session cookie is refreshed every time the session is loaded. This should fix login being lost when the browser is stopped. 2025-03-11 16:30:51 +01:00			`await setSignedCookie(event, "session", String(session.id), oneYearSeconds)`
Basic account and session system Provide a basic account system with login and server side session store identified by a cookie. Upon successful login a signed session cookie is set by the server with the session stored on the server identifying which account it is logged in as. The client uses a shared useFetch on the session endpoint to identify if it's logged in and which account it is logged in as, and refreshes this when loggin in or out. 2025-03-07 12:41:57 +01:00			`}`

Rename AcountSession to ServerSession Start the work of clearly distingushing client side types, server side types and types shared over the API by renaming "AccountSession" and "Session" names used on the server to "ServerSession". 2025-06-09 16:51:05 +02:00			`export async function getServerSession(event: H3Event) {`
Basic account and session system Provide a basic account system with login and server side session store identified by a cookie. Upon successful login a signed session cookie is set by the server with the session stored on the server identifying which account it is logged in as. The client uses a shared useFetch on the session endpoint to identify if it's logged in and which account it is logged in as, and refreshes this when loggin in or out. 2025-03-07 12:41:57 +01:00			`const sessionCookie = await getSignedCookie(event, "session");`
			`if (sessionCookie) {`
			`const sessionId = parseInt(sessionCookie, 10);`
			`const sessions = await readSessions();`
			`return sessions.find(session => session.id === sessionId);`
			`}`
			`}`

Rename AcountSession to ServerSession Start the work of clearly distingushing client side types, server side types and types shared over the API by renaming "AccountSession" and "Session" names used on the server to "ServerSession". 2025-06-09 16:51:05 +02:00			`export async function requireServerSession(event: H3Event) {`
			`const session = await getServerSession(event);`
Basic account and session system Provide a basic account system with login and server side session store identified by a cookie. Upon successful login a signed session cookie is set by the server with the session stored on the server identifying which account it is logged in as. The client uses a shared useFetch on the session endpoint to identify if it's logged in and which account it is logged in as, and refreshes this when loggin in or out. 2025-03-07 12:41:57 +01:00			`if (!session)`
			`throw createError({`
			`status: 401,`
			`message: "Account session required",`
			`});`
			`return session;`
			`}`
Add API utility for requiring an admin session 2025-06-28 00:55:26 +02:00
			`export async function requireServerSessionWithAdmin(event: H3Event) {`
			`const session = await requireServerSession(event);`
			`if (session.account.type !== "admin") {`
			`throw createError({`
			`statusCode: 403,`
			`statusMessage: "Forbidden",`
			`});`
			`}`
			`return session;`
			`}`