Close event streams for expired sessions

When a session expires close any event streams that have been opened with that session. This prevents an attacker with a leaked session cookie from opening a stream and receiving updates indefinitely without being detected. By sending the session the event stream is opened with when the stream is established this closure on session expiry also serves as a way for a user agent to be notified whenever its own access level changes.
2025-07-08 15:43:14 +02:00 · 2025-07-08 15:43:14 +02:00 · 011687b391
commit 011687b391
parent 2d5af78568
12 changed files with 132 additions and 44 deletions
--- a/server/api/auth/account.delete.ts
+++ b/server/api/auth/account.delete.ts
@ -12,16 +12,25 @@ export default defineEventHandler(async (event) => {
 	const serverSession = await requireServerSessionWithUser(event);
 	let users = await readUsers();

-	// Remove sessions for this user
-	const removedSessionIds = new Set<number>();
+	// Expire sessions for this user
+	const expiredSessionIds = new Set<number>();
 	let sessions = await readSessions();
-	sessions = sessions.filter(session => {
-		if (session.accountId === serverSession.accountId) {
-			removedSessionIds.add(session.id);
-			return false;
+	const nowMs = Date.now();
+	for (const session of sessions) {
+		if (
+			!session.finished
+			&& session.successor !== undefined
+			&& session.expiresAtMs < nowMs
+			&& session.accountId === serverSession.accountId
+		) {
+			session.expiresAtMs = nowMs;
+			broadcastEvent({
+				type: "session-expired",
+				sessionId: session.id,
+			});
+			expiredSessionIds.add(session.id);
 		}
-		return true;
-	});
+	}
 	cancelAccountStreams(serverSession.accountId);
 	await writeSessions(sessions);
 	await deleteCookie(event, "session");
@ -29,13 +38,13 @@ export default defineEventHandler(async (event) => {
 	// Remove subscriptions for this user
 	let subscriptions = await readSubscriptions();
 	subscriptions = subscriptions.filter(
-		subscription => !removedSessionIds.has(subscription.sessionId)
+		subscription => !expiredSessionIds.has(subscription.sessionId)
 	);
 	await writeSubscriptions(subscriptions);

 	// Remove the user
 	const account = users.find(user => user.id === serverSession.accountId)!;
-	const now = new Date().toISOString();
+	const now = new Date(nowMs).toISOString();
 	account.deleted = true;
 	account.updatedAt = now;
 	await writeUsers(users);
--- a/server/api/auth/session.delete.ts
+++ b/server/api/auth/session.delete.ts
@ -18,8 +18,5 @@ export default defineEventHandler(async (event) => {
 		}
 	}

-	if (session) {
-		cancelSessionStreams(session.id);
-	}
 	await clearServerSession(event);
 })
--- a/server/api/auth/session.get.ts
+++ b/server/api/auth/session.get.ts
@ -2,23 +2,10 @@
 	SPDX-FileCopyrightText: © 2025 Hornwitser <code@hornwitser.no>
 	SPDX-License-Identifier: AGPL-3.0-or-later
 */
-import { readSubscriptions, readUsers } from "~/server/database";
-import type { ApiSession } from "~/shared/types/api";
-
-export default defineEventHandler(async (event): Promise<ApiSession | undefined> => {
+export default defineEventHandler(async event => {
 	const session = await getServerSession(event, false);
 	if (!session)
 		return;
-	const users = await readUsers();
-	const account = users.find(user => user.id === session.accountId);
-	const subscriptions = await readSubscriptions();
-	const push = Boolean(
-		subscriptions.find(sub => sub.type === "push" && sub.sessionId === session.id)
-	);

-	return {
-		id: session.id,
-		account,
-		push,
-	};
+	return await serverSessionToApi(event, session);
 })