public/owltide
1
0
Fork 0
Code Issues 2 Pull requests Projects Releases Packages 1 Wiki Activity Actions

Refactor sessions to frequently rotate

Browse source 
In order to minimise the window of opportunity to steal a session,
automatically rotate it onto a new session on a frequent basis.  This
makes a session cookie older than the automatic rollover time less
likely to grant access and more likely to be detected.

Should a stolen session cookie get rotated while the attacker is using
it, the user will be notificed that their session has been taken the
next time they open the app if the user re-visits the website before the
session is discarded.
This commit is contained in:
Hornwitser 2025-07-07 22:42:49 +02:00
parent d9b78bff69
commit 1775fac5fd
18 changed files with 168 additions and 73 deletions
Download patch file Download diff file Expand all files Collapse all files

6
server/api/schedule.patch.ts
View file

@ -9,9 +9,9 @@ import { apiScheduleSchema } from "~/shared/types/api";
import { applyUpdatesToArray } from "~/shared/utils/update";
export default defineEventHandler(async (event) => {
const session = await requireServerSession(event);
const session = await requireServerSessionWithUser(event);
if (session.account.type !== "admin" && session.account.type !== "crew") {
if (session.access !== "admin" && session.access !== "crew") {
throw createError({
status: 403,
statusMessage: "Forbidden",
@ -45,7 +45,7 @@ export default defineEventHandler(async (event) => {
}
// Validate edit restrictions for crew
if (session.account.type === "crew") {
if (session.access === "crew") {
if (update.locations?.length) {
throw createError({
status: 403,