Skip to content

Commit

Permalink
fixed weak session validating
Browse files Browse the repository at this point in the history
  • Loading branch information
@Andcool-Systems
Andcool-Systems committed Dec 14, 2024
1 parent a120911 commit 97b9dec
Show file tree
Hide file tree
Showing 3 changed files with 39 additions and 19 deletions.
2 changes: 1 addition & 1 deletion src/auth/auth.controller.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ export class AuthController {
/* log out user */

const user_agent = request.headers['user-agent'];
const session = await this.authService.validateSession(request.cookies.sessionId, user_agent as string);
const session = await this.authService.validateSession(request.cookies.sessionId, user_agent as string, true);
if (!session) {
res.status(HttpStatus.UNAUTHORIZED).send(UNAUTHORIZED);
return;
Expand Down
45 changes: 29 additions & 16 deletions src/auth/auth.service.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -97,6 +97,19 @@ export class AuthService {
private readonly userService: UserService
) { }

userInclude = {
User: {
include: {
profile: true,
notifications: true,
UserSettings: true,
Bandage: true,
stars: true,
AccessRoles: true,
},
},
};

async getRoles() {
return (await this.prisma.roles.findMany()).reverse();
}
Expand Down Expand Up @@ -233,27 +246,18 @@ export class AuthService {
return token_record;
}

async validateSession(session: string | undefined, user_agent: string): Promise<Session | null> {
async validateSessionWeak(session: string | undefined, user_agent: string) {

}

async validateSession(session: string | undefined, user_agent: string, strict: boolean): Promise<Session | null> {
/* validate and update user session */

if (!session) return null;

const userInclude = {
User: {
include: {
profile: true,
notifications: true,
UserSettings: true,
Bandage: true,
stars: true,
AccessRoles: true,
},
},
};

const sessionDB = await this.prisma.sessions.findFirst({
where: { sessionId: session },
include: userInclude
include: this.userInclude
});

if (!sessionDB) return null;
Expand All @@ -270,13 +274,22 @@ export class AuthService {
try {
const decoded = verify(session, 'ppl_super_secret') as SessionToken;
const now = Math.round(Date.now() / 1000);

if (!strict && decoded.exp > now) {
return {
sessionId: sessionDB.sessionId,
cookie: generateCookie(session, decoded.exp),
user: sessionDB.User
}
}

if (decoded.iat + ((decoded.exp - decoded.iat) / 2) < now) {
const sessionId = sign({ userId: sessionDB.userId }, 'ppl_super_secret', { expiresIn: Number(process.env.SESSION_TTL) });

const updatedSession = await this.prisma.sessions.update({
where: { id: sessionDB.id },
data: { sessionId: sessionId },
include: userInclude
include: this.userInclude
});

return {
Expand Down
11 changes: 9 additions & 2 deletions src/guards/auth.guard.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ export class AuthGuard implements CanActivate {
return true;
}

const session = await this.oathService.validateSession(sessionId, user_agent);
const session = await this.oathService.validateSession(sessionId, user_agent, strict === 'Strict');
if (!session && strict === 'Strict') {
response.status(401).send(UNAUTHORIZED);
return false;
Expand All @@ -36,7 +36,14 @@ export class AuthGuard implements CanActivate {
request.session = session;
if (session) {
response.setHeader('SetCookie', session.cookie);
await this.prisma.sessions.update({ where: { sessionId: session.sessionId }, data: { last_accessed: new Date() } });
try {
await this.prisma.sessions.update({
where: { sessionId: session.sessionId },
data: { last_accessed: new Date() }
});
} catch (e) {
console.error(`Failed to update last access for session: ${e}`);
}
}

return true;
Expand Down

0 comments on commit 97b9dec

Please sign in to comment.