Close event streams for expired sessions
When a session expires close any event streams that have been opened with that session. This prevents an attacker with a leaked session cookie from opening a stream and receiving updates indefinitely without being detected. By sending the session the event stream is opened with when the stream is established this closure on session expiry also serves as a way for a user agent to be notified whenever its own access level changes.
This commit is contained in:
parent
2d5af78568
commit
011687b391
12 changed files with 132 additions and 44 deletions
|
|
@ -13,6 +13,8 @@ import {
|
|||
writeSessions,
|
||||
writeSubscriptions
|
||||
} from "~/server/database";
|
||||
import { broadcastEvent } from "../streams";
|
||||
import type { ApiSession } from "~/shared/types/api";
|
||||
|
||||
async function removeSessionSubscription(sessionId: number) {
|
||||
const subscriptions = await readSubscriptions();
|
||||
|
|
@ -27,9 +29,13 @@ async function clearServerSessionInternal(event: H3Event, sessions: ServerSessio
|
|||
const existingSessionCookie = await getSignedCookie(event, "session");
|
||||
if (existingSessionCookie) {
|
||||
const sessionId = parseInt(existingSessionCookie, 10);
|
||||
const sessionIndex = sessions.findIndex(session => session.id === sessionId);
|
||||
if (sessionIndex !== -1) {
|
||||
sessions.splice(sessionIndex, 1);
|
||||
const session = sessions.find(session => session.id === sessionId);
|
||||
if (session) {
|
||||
session.finished = true;
|
||||
broadcastEvent({
|
||||
type: "session-expired",
|
||||
sessionId,
|
||||
});
|
||||
await removeSessionSubscription(sessionId);
|
||||
return true;
|
||||
}
|
||||
|
|
@ -56,6 +62,7 @@ export async function setServerSession(event: H3Event, account: ServerUser) {
|
|||
access: account.type,
|
||||
expiresAtMs: now + runtimeConfig.sessionExpiresTimeout * 1000,
|
||||
discardAtMs: now + runtimeConfig.sessionDiscardTimeout * 1000,
|
||||
finished: false,
|
||||
id: await nextSessionId(),
|
||||
};
|
||||
|
||||
|
|
@ -74,6 +81,7 @@ async function rotateSession(event: H3Event, sessions: ServerSession[], session:
|
|||
access: account?.type ?? "anonymous",
|
||||
expiresAtMs: now + runtimeConfig.sessionExpiresTimeout * 1000,
|
||||
discardAtMs: now + runtimeConfig.sessionDiscardTimeout * 1000,
|
||||
finished: false,
|
||||
id: await nextSessionId(),
|
||||
};
|
||||
session.successor = newSession.id;
|
||||
|
|
@ -90,6 +98,9 @@ export async function getServerSession(event: H3Event, ignoreExpired: boolean) {
|
|||
const sessions = await readSessions();
|
||||
const session = sessions.find(session => session.id === sessionId);
|
||||
if (session) {
|
||||
if (session.finished) {
|
||||
return undefined;
|
||||
}
|
||||
if (!ignoreExpired && session.successor !== undefined) {
|
||||
throw createError({
|
||||
statusCode: 403,
|
||||
|
|
@ -149,3 +160,18 @@ export async function requireServerSessionWithAdmin(event: H3Event) {
|
|||
}
|
||||
return { ...session, accountId: session.accountId };
|
||||
}
|
||||
|
||||
export async function serverSessionToApi(event: H3Event, session: ServerSession): Promise<ApiSession> {
|
||||
const users = await readUsers();
|
||||
const account = users.find(user => user.id === session.accountId);
|
||||
const subscriptions = await readSubscriptions();
|
||||
const push = Boolean(
|
||||
subscriptions.find(sub => sub.type === "push" && sub.sessionId === session.id)
|
||||
);
|
||||
|
||||
return {
|
||||
id: session.id,
|
||||
account,
|
||||
push,
|
||||
};
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue