Refactor sessions to frequently rotate
In order to minimise the window of opportunity to steal a session, automatically rotate it onto a new session on a frequent basis. This makes a session cookie older than the automatic rollover time less likely to grant access and more likely to be detected. Should a stolen session cookie get rotated while the attacker is using it, the user will be notificed that their session has been taken the next time they open the app if the user re-visits the website before the session is discarded.
This commit is contained in:
parent
d9b78bff69
commit
1775fac5fd
18 changed files with 168 additions and 73 deletions
|
|
@ -9,20 +9,20 @@ import {
|
|||
import { broadcastEvent, cancelAccountStreams } from "~/server/streams";
|
||||
|
||||
export default defineEventHandler(async (event) => {
|
||||
const serverSession = await requireServerSession(event);
|
||||
const serverSession = await requireServerSessionWithUser(event);
|
||||
let users = await readUsers();
|
||||
|
||||
// Remove sessions for this user
|
||||
const removedSessionIds = new Set<number>();
|
||||
let sessions = await readSessions();
|
||||
sessions = sessions.filter(session => {
|
||||
if (session.account.id === serverSession.account.id) {
|
||||
if (session.accountId === serverSession.accountId) {
|
||||
removedSessionIds.add(session.id);
|
||||
return false;
|
||||
}
|
||||
return true;
|
||||
});
|
||||
cancelAccountStreams(serverSession.account.id);
|
||||
cancelAccountStreams(serverSession.accountId);
|
||||
await writeSessions(sessions);
|
||||
await deleteCookie(event, "session");
|
||||
|
||||
|
|
@ -34,7 +34,7 @@ export default defineEventHandler(async (event) => {
|
|||
await writeSubscriptions(subscriptions);
|
||||
|
||||
// Remove the user
|
||||
const account = users.find(user => user.id === serverSession.account.id)!;
|
||||
const account = users.find(user => user.id === serverSession.accountId)!;
|
||||
const now = new Date().toISOString();
|
||||
account.deleted = true;
|
||||
account.updatedAt = now;
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@ import { z } from "zod/v4-mini";
|
|||
|
||||
|
||||
export default defineEventHandler(async (event) => {
|
||||
const session = await requireServerSession(event);
|
||||
const session = await requireServerSessionWithUser(event);
|
||||
const { success, error, data: patch } = apiAccountPatchSchema.safeParse(await readBody(event));
|
||||
if (!success) {
|
||||
throw createError({
|
||||
|
|
@ -39,7 +39,7 @@ export default defineEventHandler(async (event) => {
|
|||
}
|
||||
|
||||
const users = await readUsers();
|
||||
const account = users.find(user => user.id === session.account.id);
|
||||
const account = users.find(user => user.id === session.accountId);
|
||||
if (!account) {
|
||||
throw Error("Account does not exist");
|
||||
}
|
||||
|
|
|
|||
|
|
@ -6,7 +6,7 @@ import { readUsers, writeUsers, nextUserId, type ServerUser } from "~/server/dat
|
|||
import { broadcastEvent } from "~/server/streams";
|
||||
|
||||
export default defineEventHandler(async (event) => {
|
||||
let session = await getServerSession(event);
|
||||
let session = await getServerSession(event, false);
|
||||
if (session) {
|
||||
throw createError({
|
||||
status: 409,
|
||||
|
|
|
|||
|
|
@ -2,12 +2,15 @@
|
|||
SPDX-FileCopyrightText: © 2025 Hornwitser <code@hornwitser.no>
|
||||
SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
*/
|
||||
import { readUsers } from "~/server/database";
|
||||
import { cancelSessionStreams } from "~/server/streams";
|
||||
|
||||
export default defineEventHandler(async (event) => {
|
||||
const session = await getServerSession(event);
|
||||
const session = await getServerSession(event, true);
|
||||
if (session) {
|
||||
if (session.account.type === "anonymous") {
|
||||
const users = await readUsers();
|
||||
const account = users.find(user => user.id === session.accountId);
|
||||
if (account?.type === "anonymous") {
|
||||
throw createError({
|
||||
status: 409,
|
||||
message: "Cannot log out of an anonymous account",
|
||||
|
|
|
|||
|
|
@ -2,23 +2,23 @@
|
|||
SPDX-FileCopyrightText: © 2025 Hornwitser <code@hornwitser.no>
|
||||
SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
*/
|
||||
import { readSubscriptions } from "~/server/database";
|
||||
import { readSubscriptions, readUsers } from "~/server/database";
|
||||
import type { ApiSession } from "~/shared/types/api";
|
||||
|
||||
export default defineEventHandler(async (event): Promise<ApiSession | undefined> => {
|
||||
const session = await getServerSession(event);
|
||||
const session = await getServerSession(event, false);
|
||||
if (!session)
|
||||
return;
|
||||
const users = await readUsers();
|
||||
const account = users.find(user => user.id === session.accountId);
|
||||
const subscriptions = await readSubscriptions();
|
||||
const push = Boolean(
|
||||
subscriptions.find(sub => sub.type === "push" && sub.sessionId === session.id)
|
||||
);
|
||||
|
||||
await refreshServerSession(event, session);
|
||||
|
||||
return {
|
||||
id: session.id,
|
||||
account: session.account,
|
||||
account,
|
||||
push,
|
||||
};
|
||||
})
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue