Hornwitser
80cec71308
Replace all async reads and writes to the JSON database with the sync reads and writes to prevent a data corruption race condition where two requests are processed at the same time and write to the same file, or one reads while the other writes causing read of partially written data.
193 lines
6 KiB
TypeScript
193 lines
6 KiB
TypeScript
/*
|
|
SPDX-FileCopyrightText: © 2025 Hornwitser <code@hornwitser.no>
|
|
SPDX-License-Identifier: AGPL-3.0-or-later
|
|
*/
|
|
import type { H3Event } from "h3";
|
|
import {
|
|
nextEventId,
|
|
nextSessionId,
|
|
readSessions,
|
|
readSubscriptions,
|
|
readUsers,
|
|
type ServerSession,
|
|
type ServerUser,
|
|
writeSessions,
|
|
writeSubscriptions
|
|
} from "~/server/database";
|
|
import { broadcastEvent } from "../streams";
|
|
import type { ApiAuthenticationProvider, ApiSession } from "~/shared/types/api";
|
|
import { serverUserToApiAccount } from "./user";
|
|
|
|
async function removeSessionSubscription(sessionId: number) {
|
|
const subscriptions = readSubscriptions();
|
|
const index = subscriptions.findIndex(subscription => subscription.sessionId === sessionId);
|
|
if (index !== -1) {
|
|
subscriptions.splice(index, 1);
|
|
writeSubscriptions(subscriptions);
|
|
}
|
|
}
|
|
|
|
async function clearServerSessionInternal(event: H3Event, sessions: ServerSession[]) {
|
|
const existingSessionCookie = await getSignedCookie(event, "session");
|
|
if (existingSessionCookie) {
|
|
const sessionId = parseInt(existingSessionCookie, 10);
|
|
const session = sessions.find(session => session.id === sessionId);
|
|
if (session) {
|
|
session.expiresAtMs = Date.now();
|
|
broadcastEvent({
|
|
id: nextEventId(),
|
|
type: "session-expired",
|
|
sessionId,
|
|
});
|
|
await removeSessionSubscription(sessionId);
|
|
return true;
|
|
}
|
|
}
|
|
return false;
|
|
}
|
|
|
|
export async function clearServerSession(event: H3Event) {
|
|
const sessions = readSessions();
|
|
if (await clearServerSessionInternal(event, sessions)) {
|
|
writeSessions(sessions);
|
|
}
|
|
deleteCookie(event, "session");
|
|
}
|
|
|
|
export async function setServerSession(
|
|
event: H3Event,
|
|
account: ServerUser | undefined,
|
|
authenticationProvider?: ApiAuthenticationProvider,
|
|
authenticationSlug?: string,
|
|
authenticationName?: string,
|
|
) {
|
|
const sessions = readSessions();
|
|
const runtimeConfig = useRuntimeConfig(event);
|
|
await clearServerSessionInternal(event, sessions);
|
|
|
|
const now = Date.now();
|
|
const newSession: ServerSession = {
|
|
access: account?.type ?? "anonymous",
|
|
accountId: account?.id,
|
|
authenticationProvider,
|
|
authenticationSlug,
|
|
authenticationName,
|
|
rotatesAtMs: now + runtimeConfig.sessionRotatesTimeout * 1000,
|
|
discardAtMs: now + runtimeConfig.sessionDiscardTimeout * 1000,
|
|
id: await nextSessionId(),
|
|
};
|
|
|
|
sessions.push(newSession);
|
|
writeSessions(sessions);
|
|
await setSignedCookie(event, "session", String(newSession.id), runtimeConfig.sessionDiscardTimeout)
|
|
return newSession;
|
|
}
|
|
|
|
async function rotateSession(event: H3Event, sessions: ServerSession[], session: ServerSession) {
|
|
const runtimeConfig = useRuntimeConfig(event);
|
|
const users = readUsers();
|
|
const account = users.find(user => !user.deleted && user.id === session.accountId);
|
|
const now = Date.now();
|
|
const newSession: ServerSession = {
|
|
accountId: account?.id,
|
|
access: account?.type ?? "anonymous",
|
|
// Authentication provider is removed to avoid possibility of an infinite delay before using it.
|
|
rotatesAtMs: now + runtimeConfig.sessionRotatesTimeout * 1000,
|
|
discardAtMs: now + runtimeConfig.sessionDiscardTimeout * 1000,
|
|
id: nextSessionId(),
|
|
};
|
|
session.successor = newSession.id;
|
|
session.expiresAtMs = Date.now() + 10 * 1000;
|
|
sessions.push(newSession);
|
|
writeSessions(sessions);
|
|
await setSignedCookie(event, "session", String(newSession.id), runtimeConfig.sessionDiscardTimeout)
|
|
return newSession;
|
|
}
|
|
|
|
export async function getServerSession(event: H3Event, ignoreTaken: boolean) {
|
|
const sessionCookie = await getSignedCookie(event, "session");
|
|
if (sessionCookie) {
|
|
const sessionId = parseInt(sessionCookie, 10);
|
|
const sessions = readSessions();
|
|
const session = sessions.find(session => session.id === sessionId);
|
|
if (session) {
|
|
const nowMs = Date.now();
|
|
if (nowMs >= session.discardAtMs) {
|
|
return undefined;
|
|
}
|
|
if (session.expiresAtMs !== undefined && nowMs >= session.expiresAtMs) {
|
|
if (!ignoreTaken && session.successor !== undefined) {
|
|
throw createError({
|
|
statusCode: 403,
|
|
statusMessage: "Forbidden",
|
|
message: "Session has been taken by another agent.",
|
|
data: { code: "SESSION_TAKEN" },
|
|
});
|
|
}
|
|
return undefined;
|
|
}
|
|
if (nowMs >= session.rotatesAtMs && session.successor === undefined) {
|
|
return await rotateSession(event, sessions, session);
|
|
}
|
|
}
|
|
return session;
|
|
}
|
|
}
|
|
|
|
export async function requireServerSession(event: H3Event, message: string) {
|
|
const session = await getServerSession(event, false);
|
|
if (!session)
|
|
throw createError({
|
|
statusCode: 401,
|
|
statusMessage: "Unauthorized",
|
|
message,
|
|
});
|
|
return session;
|
|
}
|
|
|
|
export async function requireServerSessionWithUser(event: H3Event) {
|
|
const message = "User session required";
|
|
const session = await requireServerSession(event, message);
|
|
const users = readUsers();
|
|
const account = users.find(user => user.id === session.accountId);
|
|
if (session.accountId === undefined || !account || account.deleted)
|
|
throw createError({
|
|
statusCode: 401,
|
|
statusMessage: "Uauthorized",
|
|
message,
|
|
});
|
|
return { ...session, accountId: session.accountId };
|
|
}
|
|
|
|
|
|
export async function requireServerSessionWithAdmin(event: H3Event) {
|
|
const message = "Admin session required";
|
|
const session = await requireServerSession(event, message);
|
|
const users = readUsers();
|
|
const account = users.find(user => user.id === session.accountId);
|
|
if (session.access !== "admin" || account?.type !== "admin") {
|
|
throw createError({
|
|
statusCode: 403,
|
|
statusMessage: "Forbidden",
|
|
message,
|
|
});
|
|
}
|
|
return { ...session, accountId: session.accountId };
|
|
}
|
|
|
|
export async function serverSessionToApi(event: H3Event, session: ServerSession): Promise<ApiSession> {
|
|
const users = readUsers();
|
|
const account = users.find(user => !user.deleted && user.id === session.accountId);
|
|
const subscriptions = readSubscriptions();
|
|
const push = Boolean(
|
|
subscriptions.find(sub => sub.type === "push" && sub.sessionId === session.id)
|
|
);
|
|
|
|
return {
|
|
id: session.id,
|
|
account: serverUserToApiAccount(account),
|
|
authenticationProvider: session.authenticationProvider,
|
|
authenticationName: session.authenticationName,
|
|
push,
|
|
};
|
|
}
|