public/owltide
1
0
Fork 0
Code Issues 2 Pull requests Projects Releases Packages 1 Wiki Activity Actions
owltide/server/api/admin/database-import.post.ts
Hornwitser 1775fac5fd Refactor sessions to frequently rotate 
In order to minimise the window of opportunity to steal a session,
automatically rotate it onto a new session on a frequent basis.  This
makes a session cookie older than the automatic rollover time less
likely to grant access and more likely to be detected.

Should a stolen session cookie get rotated while the attacker is using
it, the user will be notificed that their session has been taken the
next time they open the app if the user re-visits the website before the
session is discarded.
2025-07-07 22:50:59 +02:00

48 lines
1.9 KiB
TypeScript
Raw Blame History

/*
SPDX-FileCopyrightText: © 2025 Hornwitser <code@hornwitser.no>
SPDX-License-Identifier: AGPL-3.0-or-later
*/
import { readNextSessionId, readNextUserId, readSessions, type ServerSession, type ServerUser, writeNextSessionId, writeNextUserId, writeSchedule, writeSessions, writeSubscriptions, writeUsers } from "~/server/database";
import type { ApiSchedule, ApiSubscription } from "~/shared/types/api";
export default defineEventHandler(async (event) => {
await requireServerSessionWithAdmin(event);
const formData = await readMultipartFormData(event);
let snapshot: undefined | {
nextUserId: number,
users: ServerUser[],
nextSessionId: number,
sessions: ServerSession[],
subscriptions: ApiSubscription[],
schedule: ApiSchedule,
};
for (const part of formData ?? []) {
if (part.name === "snapshot") {
snapshot = JSON.parse(part.data.toString("utf-8"));
}
}
if (!snapshot) {
throw createError({
statusCode: 400,
statusMessage: "Bad Request",
message: "snapshot missing."
});
}
const currentNextUserId = await readNextUserId();
await writeNextUserId(Math.max(currentNextUserId, snapshot.nextUserId));
await writeUsers(snapshot.users);
const currentNextSessionId = await readNextSessionId();
await writeNextSessionId(Math.max(currentNextSessionId, snapshot.nextSessionId));
const currentSessions = new Map((await readSessions()).map(session => [session.id, session]));
await writeSessions(snapshot.sessions.filter(session => {
const current = currentSessions.get(session.id);
// Only keep sessions that match the account id in both sets to avoid
// resurrecting deleted sessions. This will still cause session cross
// pollution if a snapshot from another instance is loaded here.
return current?.accountId !== undefined && current.accountId === session.accountId;
}));
await writeSubscriptions(snapshot.subscriptions);
await writeSchedule(snapshot.schedule);
await sendRedirect(event, "/");
})
Reference in a new issue View git blame Copy permalink