public/owltide
1
0
Fork 0
Code Issues 2 Pull requests Projects Releases Packages 1 Wiki Activity Actions
169 commits 1 branch 3 tags 1.9 MiB
Commit graph

7 commits

Author SHA1 Message Date
Hornwitser
011687b391 Close event streams for expired sessions 
When a session expires close any event streams that have been opened
with that session.  This prevents an attacker with a leaked session
cookie from opening a stream and receiving updates indefinitely without
being detected.

By sending the session the event stream is opened with when the stream
is established this closure on session expiry also serves as a way for
a user agent to be notified whenever its own access level changes.
 2025-07-08 16:13:46 +02:00
Hornwitser
1775fac5fd Refactor sessions to frequently rotate 
In order to minimise the window of opportunity to steal a session,
automatically rotate it onto a new session on a frequent basis.  This
makes a session cookie older than the automatic rollover time less
likely to grant access and more likely to be detected.

Should a stolen session cookie get rotated while the attacker is using
it, the user will be notificed that their session has been taken the
next time they open the app if the user re-visits the website before the
session is discarded.
 2025-07-07 22:50:59 +02:00
Hornwitser
e52972853d License under AGPL version 3 or later 
I firmly believe in free software.

The application I'm making here have capabilities that I've not seen in
any system.  It presents itself as an opportunity to collaborate on a
tool that serves the people rather than corporations.  Whose incentives
are to help people rather, not make the most money.  And whose terms
ensure that these freedoms and incentives cannot be taken back or
subverted.

I license this software under the AGPL.
 2025-06-30 18:58:24 +02:00
Hornwitser
b1053a95ba Fix import statements 
Remove unused or unneeded imports and change imports of luxon APIs to
use the wrapper.
 2025-06-23 12:54:09 +02:00
Hornwitser
3be7f8be05 Refactor user storage and update 
Rename accounts to users to be consistent with the new naming scheme
where account only referes to the logged in user of the session and
implement live updates of users via a user store which listens for
updates from the event stream.
 2025-06-23 00:28:58 +02:00
Hornwitser
251e83f640 Rename AcountSession to ServerSession
All checks were successful
/ build (push) Successful in 1m12s
Details
/ deploy (push) Successful in 16s
Details 
Start the work of clearly distingushing client side types, server side
types and types shared over the API by renaming "AccountSession" and
"Session" names used on the server to "ServerSession".
 2025-06-09 16:51:05 +02:00
Hornwitser
04b9707272 Move /api/account to /api/auth/account
All checks were successful
/ build (push) Successful in 1m16s
Details
/ deploy (push) Successful in 16s
Details 
An account refers to the user the active session is logged in as. As
such it doesn't make sense outside of the /auth API paths that deals
with the current authenticated user.  Move /api/account to
/api/auth/account to reflect this.
 2025-05-31 21:44:19 +02:00
Renamed from server/api/account.delete.ts (Browse further)