Commit graph

16 commits

Author SHA1 Message Date
0d0e38e4b6 Refactor demo login as an authentication method
Use the authentication method system for the demo login and the
generated accounts.  This makes it possible to toggle it off on
production systems as these shouldn't have it enabled at all.
2025-07-09 18:01:26 +02:00
aaa2faffb1 Implement register and login with Telegram
Add the concept of authentication methods that authenticate an account
where using the telegram login widget is one such method.  If a login is
done with an authentication method that's not associated with any
account the session ends up with the data from the authentication
method in order to allow registering a new account with the
authentication method.

This has to be stored on the session as otherwise it wouldn't be
possible to implement authentication methods such as OAuth2 that takes
the user to a third-party site and then redirects the browser back.
2025-07-09 15:34:57 +02:00
3f492edea2 Separate rotation and expiry of sessions
If a session is rotate in the middle of a server side rendering then
some random portions of requests made on the server side will fail with
a session taken error as the server is not going to update the cookies
of the client during these requests.

To avoid this pitfall extend the expiry time of sessions to be 10
seconds after the session has been rotated.  This is accomplished by
introducing a new timestamp on sessions called the rotateAt at time
alongside the expiresAt time.  Sessions used after rotateAt that haven't
been rotated get rotated into a new session and the existing session
gets the expiresAt time set to 10 seconds in the future.  Sessions that
are past the expiredAt time have no access.

This makes the logic around session expiry simpler, and also makes it
possible to audit when a session got rotated, and to mark sessions as
expired without a chance to rotate to a new session without having to
resort to a finished flag.
2025-07-09 14:54:54 +02:00
352362b9c3 Ignore deleted users when looking up a user
After the change to converting users to tombstones instead of removing
them from the database several places would accidentally use deleted
user accounts instead of ignoring them.
2025-07-08 16:23:31 +02:00
ebeedff5d0 Add error page for when a session has been taken
Describe to the user what it means when a session has been detected as
taken and provide a means to abandoned the session and log in again.
2025-07-08 16:13:46 +02:00
011687b391 Close event streams for expired sessions
When a session expires close any event streams that have been opened
with that session.  This prevents an attacker with a leaked session
cookie from opening a stream and receiving updates indefinitely without
being detected.

By sending the session the event stream is opened with when the stream
is established this closure on session expiry also serves as a way for
a user agent to be notified whenever its own access level changes.
2025-07-08 16:13:46 +02:00
1775fac5fd Refactor sessions to frequently rotate
In order to minimise the window of opportunity to steal a session,
automatically rotate it onto a new session on a frequent basis.  This
makes a session cookie older than the automatic rollover time less
likely to grant access and more likely to be detected.

Should a stolen session cookie get rotated while the attacker is using
it, the user will be notificed that their session has been taken the
next time they open the app if the user re-visits the website before the
session is discarded.
2025-07-07 22:50:59 +02:00
e52972853d License under AGPL version 3 or later
I firmly believe in free software.

The application I'm making here have capabilities that I've not seen in
any system.  It presents itself as an opportunity to collaborate on a
tool that serves the people rather than corporations.  Whose incentives
are to help people rather, not make the most money.  And whose terms
ensure that these freedoms and incentives cannot be taken back or
subverted.

I license this software under the AGPL.
2025-06-30 18:58:24 +02:00
b2f48e98e0 Add API utility for requiring an admin session 2025-06-28 00:55:26 +02:00
3be7f8be05 Refactor user storage and update
Rename accounts to users to be consistent with the new naming scheme
where account only referes to the logged in user of the session and
implement live updates of users via a user store which listens for
updates from the event stream.
2025-06-23 00:28:58 +02:00
fe06d0d6bd Refactor API types and sync logic
All checks were successful
/ build (push) Successful in 2m5s
/ deploy (push) Successful in 16s
Rename and refactor the types passed over the API to be based on an
entity that's either living or a tombstone.  A living entity has a
deleted property that's either undefined or false, while a tombstone
has a deleted property set to true.  All entities have a numeric id
and an updatedAt timestamp.

To sync entities, an array of replacements are passed around. Living
entities are replaced with tombstones when they're deleted. And
tombstones are replaced with living entities when restored.
2025-06-11 21:05:17 +02:00
251e83f640 Rename AcountSession to ServerSession
All checks were successful
/ build (push) Successful in 1m12s
/ deploy (push) Successful in 16s
Start the work of clearly distingushing client side types, server side
types and types shared over the API by renaming "AccountSession" and
"Session" names used on the server to "ServerSession".
2025-06-09 16:51:05 +02:00
29b34deef0 Make session cookie permament
Set a max age for the session cookie to prevent it from expiring when
the browser is closed.  To prevent the age limit from being being
reached the session cookie is refreshed every time the session is
loaded.  This should fix login being lost when the browser is stopped.
2025-03-11 16:30:51 +01:00
c71841801b Use deleteCookie to remove session cookie 2025-03-08 00:36:10 +01:00
52dfde95d1 Tie push subscriptions to current session
If a user logs out from a device the expectation should be that device
no longer having any association with the user's account.  Any existing
push notifications should thefore be removed on server.  For this reason
tie push notifications to a session, and remove them when the session is
deleted.
2025-03-07 15:47:48 +01:00
150cb82f5c Basic account and session system
Provide a basic account system with login and server side session store
identified by a cookie.  Upon successful login a signed session cookie
is set by the server with the session stored on the server identifying
which account it is logged in as.  The client uses a shared useFetch on
the session endpoint to identify if it's logged in and which account it
is logged in as, and refreshes this when loggin in or out.
2025-03-07 12:41:57 +01:00