Hornwitser
3f492edea2
If a session is rotate in the middle of a server side rendering then some random portions of requests made on the server side will fail with a session taken error as the server is not going to update the cookies of the client during these requests. To avoid this pitfall extend the expiry time of sessions to be 10 seconds after the session has been rotated. This is accomplished by introducing a new timestamp on sessions called the rotateAt at time alongside the expiresAt time. Sessions used after rotateAt that haven't been rotated get rotated into a new session and the existing session gets the expiresAt time set to 10 seconds in the future. Sessions that are past the expiredAt time have no access. This makes the logic around session expiry simpler, and also makes it possible to audit when a session got rotated, and to mark sessions as expired without a chance to rotate to a new session without having to resort to a finished flag.
177 lines
5.5 KiB
TypeScript
177 lines
5.5 KiB
TypeScript
/*
|
|
SPDX-FileCopyrightText: © 2025 Hornwitser <code@hornwitser.no>
|
|
SPDX-License-Identifier: AGPL-3.0-or-later
|
|
*/
|
|
import type { H3Event } from "h3";
|
|
import {
|
|
nextSessionId,
|
|
readSessions,
|
|
readSubscriptions,
|
|
readUsers,
|
|
type ServerSession,
|
|
type ServerUser,
|
|
writeSessions,
|
|
writeSubscriptions
|
|
} from "~/server/database";
|
|
import { broadcastEvent } from "../streams";
|
|
import type { ApiSession } from "~/shared/types/api";
|
|
|
|
async function removeSessionSubscription(sessionId: number) {
|
|
const subscriptions = await readSubscriptions();
|
|
const index = subscriptions.findIndex(subscription => subscription.sessionId === sessionId);
|
|
if (index !== -1) {
|
|
subscriptions.splice(index, 1);
|
|
await writeSubscriptions(subscriptions);
|
|
}
|
|
}
|
|
|
|
async function clearServerSessionInternal(event: H3Event, sessions: ServerSession[]) {
|
|
const existingSessionCookie = await getSignedCookie(event, "session");
|
|
if (existingSessionCookie) {
|
|
const sessionId = parseInt(existingSessionCookie, 10);
|
|
const session = sessions.find(session => session.id === sessionId);
|
|
if (session) {
|
|
session.expiresAtMs = Date.now();
|
|
broadcastEvent({
|
|
type: "session-expired",
|
|
sessionId,
|
|
});
|
|
await removeSessionSubscription(sessionId);
|
|
return true;
|
|
}
|
|
}
|
|
return false;
|
|
}
|
|
|
|
export async function clearServerSession(event: H3Event) {
|
|
const sessions = await readSessions();
|
|
if (await clearServerSessionInternal(event, sessions)) {
|
|
await writeSessions(sessions);
|
|
}
|
|
deleteCookie(event, "session");
|
|
}
|
|
|
|
export async function setServerSession(event: H3Event, account: ServerUser) {
|
|
const sessions = await readSessions();
|
|
const runtimeConfig = useRuntimeConfig(event);
|
|
await clearServerSessionInternal(event, sessions);
|
|
|
|
const now = Date.now();
|
|
const newSession: ServerSession = {
|
|
access: account?.type ?? "anonymous",
|
|
accountId: account?.id,
|
|
rotatesAtMs: now + runtimeConfig.sessionRotatesTimeout * 1000,
|
|
discardAtMs: now + runtimeConfig.sessionDiscardTimeout * 1000,
|
|
id: await nextSessionId(),
|
|
};
|
|
|
|
sessions.push(newSession);
|
|
await writeSessions(sessions);
|
|
await setSignedCookie(event, "session", String(newSession.id), runtimeConfig.sessionDiscardTimeout)
|
|
}
|
|
|
|
async function rotateSession(event: H3Event, sessions: ServerSession[], session: ServerSession) {
|
|
const runtimeConfig = useRuntimeConfig(event);
|
|
const users = await readUsers();
|
|
const account = users.find(user => !user.deleted && user.id === session.accountId);
|
|
const now = Date.now();
|
|
const newSession: ServerSession = {
|
|
accountId: account?.id,
|
|
access: account?.type ?? "anonymous",
|
|
rotatesAtMs: now + runtimeConfig.sessionRotatesTimeout * 1000,
|
|
discardAtMs: now + runtimeConfig.sessionDiscardTimeout * 1000,
|
|
id: await nextSessionId(),
|
|
};
|
|
session.successor = newSession.id;
|
|
session.expiresAtMs = Date.now() + 10 * 1000;
|
|
sessions.push(newSession);
|
|
await writeSessions(sessions);
|
|
await setSignedCookie(event, "session", String(newSession.id), runtimeConfig.sessionDiscardTimeout)
|
|
return newSession;
|
|
}
|
|
|
|
export async function getServerSession(event: H3Event, ignoreTaken: boolean) {
|
|
const sessionCookie = await getSignedCookie(event, "session");
|
|
if (sessionCookie) {
|
|
const sessionId = parseInt(sessionCookie, 10);
|
|
const sessions = await readSessions();
|
|
const session = sessions.find(session => session.id === sessionId);
|
|
if (session) {
|
|
const nowMs = Date.now();
|
|
if (nowMs >= session.discardAtMs) {
|
|
return undefined;
|
|
}
|
|
if (session.expiresAtMs !== undefined && nowMs >= session.expiresAtMs) {
|
|
if (!ignoreTaken && session.successor !== undefined) {
|
|
throw createError({
|
|
statusCode: 403,
|
|
statusMessage: "Forbidden",
|
|
message: "Session has been taken by another agent.",
|
|
data: { code: "SESSION_TAKEN" },
|
|
});
|
|
}
|
|
return undefined;
|
|
}
|
|
if (nowMs >= session.rotatesAtMs && session.successor === undefined) {
|
|
return await rotateSession(event, sessions, session);
|
|
}
|
|
}
|
|
return session;
|
|
}
|
|
}
|
|
|
|
export async function requireServerSession(event: H3Event, message: string) {
|
|
const session = await getServerSession(event, false);
|
|
if (!session)
|
|
throw createError({
|
|
statusCode: 401,
|
|
statusMessage: "Unauthorized",
|
|
message,
|
|
});
|
|
return session;
|
|
}
|
|
|
|
export async function requireServerSessionWithUser(event: H3Event) {
|
|
const message = "User session required";
|
|
const session = await requireServerSession(event, message);
|
|
const users = await readUsers();
|
|
const account = users.find(user => user.id === session.accountId);
|
|
if (session.accountId === undefined || !account || account.deleted)
|
|
throw createError({
|
|
statusCode: 401,
|
|
statusMessage: "Uauthorized",
|
|
message,
|
|
});
|
|
return { ...session, accountId: session.accountId };
|
|
}
|
|
|
|
|
|
export async function requireServerSessionWithAdmin(event: H3Event) {
|
|
const message = "Admin session required";
|
|
const session = await requireServerSession(event, message);
|
|
const users = await readUsers();
|
|
const account = users.find(user => user.id === session.accountId);
|
|
if (session.access !== "admin" || account?.type !== "admin") {
|
|
throw createError({
|
|
statusCode: 403,
|
|
statusMessage: "Forbidden",
|
|
message,
|
|
});
|
|
}
|
|
return { ...session, accountId: session.accountId };
|
|
}
|
|
|
|
export async function serverSessionToApi(event: H3Event, session: ServerSession): Promise<ApiSession> {
|
|
const users = await readUsers();
|
|
const account = users.find(user => !user.deleted && user.id === session.accountId);
|
|
const subscriptions = await readSubscriptions();
|
|
const push = Boolean(
|
|
subscriptions.find(sub => sub.type === "push" && sub.sessionId === session.id)
|
|
);
|
|
|
|
return {
|
|
id: session.id,
|
|
account,
|
|
push,
|
|
};
|
|
}
|