From 97b9decf6d6d4d8a351ac84f7971cb53263804ee Mon Sep 17 00:00:00 2001 From: Andcool-Systems Date: Sat, 14 Dec 2024 17:55:58 +0300 Subject: [PATCH] fixed weak session validating --- src/auth/auth.controller.ts | 2 +- src/auth/auth.service.ts | 45 ++++++++++++++++++++++++------------- src/guards/auth.guard.ts | 11 +++++++-- 3 files changed, 39 insertions(+), 19 deletions(-) diff --git a/src/auth/auth.controller.ts b/src/auth/auth.controller.ts index 630f298..c927eca 100644 --- a/src/auth/auth.controller.ts +++ b/src/auth/auth.controller.ts @@ -21,7 +21,7 @@ export class AuthController { /* log out user */ const user_agent = request.headers['user-agent']; - const session = await this.authService.validateSession(request.cookies.sessionId, user_agent as string); + const session = await this.authService.validateSession(request.cookies.sessionId, user_agent as string, true); if (!session) { res.status(HttpStatus.UNAUTHORIZED).send(UNAUTHORIZED); return; diff --git a/src/auth/auth.service.ts b/src/auth/auth.service.ts index c579a24..18b1a40 100644 --- a/src/auth/auth.service.ts +++ b/src/auth/auth.service.ts @@ -97,6 +97,19 @@ export class AuthService { private readonly userService: UserService ) { } + userInclude = { + User: { + include: { + profile: true, + notifications: true, + UserSettings: true, + Bandage: true, + stars: true, + AccessRoles: true, + }, + }, + }; + async getRoles() { return (await this.prisma.roles.findMany()).reverse(); } @@ -233,27 +246,18 @@ export class AuthService { return token_record; } - async validateSession(session: string | undefined, user_agent: string): Promise { + async validateSessionWeak(session: string | undefined, user_agent: string) { + + } + + async validateSession(session: string | undefined, user_agent: string, strict: boolean): Promise { /* validate and update user session */ if (!session) return null; - const userInclude = { - User: { - include: { - profile: true, - notifications: true, - UserSettings: true, - Bandage: true, - stars: true, - AccessRoles: true, - }, - }, - }; - const sessionDB = await this.prisma.sessions.findFirst({ where: { sessionId: session }, - include: userInclude + include: this.userInclude }); if (!sessionDB) return null; @@ -270,13 +274,22 @@ export class AuthService { try { const decoded = verify(session, 'ppl_super_secret') as SessionToken; const now = Math.round(Date.now() / 1000); + + if (!strict && decoded.exp > now) { + return { + sessionId: sessionDB.sessionId, + cookie: generateCookie(session, decoded.exp), + user: sessionDB.User + } + } + if (decoded.iat + ((decoded.exp - decoded.iat) / 2) < now) { const sessionId = sign({ userId: sessionDB.userId }, 'ppl_super_secret', { expiresIn: Number(process.env.SESSION_TTL) }); const updatedSession = await this.prisma.sessions.update({ where: { id: sessionDB.id }, data: { sessionId: sessionId }, - include: userInclude + include: this.userInclude }); return { diff --git a/src/guards/auth.guard.ts b/src/guards/auth.guard.ts index cf7d4d3..03c5dd6 100644 --- a/src/guards/auth.guard.ts +++ b/src/guards/auth.guard.ts @@ -27,7 +27,7 @@ export class AuthGuard implements CanActivate { return true; } - const session = await this.oathService.validateSession(sessionId, user_agent); + const session = await this.oathService.validateSession(sessionId, user_agent, strict === 'Strict'); if (!session && strict === 'Strict') { response.status(401).send(UNAUTHORIZED); return false; @@ -36,7 +36,14 @@ export class AuthGuard implements CanActivate { request.session = session; if (session) { response.setHeader('SetCookie', session.cookie); - await this.prisma.sessions.update({ where: { sessionId: session.sessionId }, data: { last_accessed: new Date() } }); + try { + await this.prisma.sessions.update({ + where: { sessionId: session.sessionId }, + data: { last_accessed: new Date() } + }); + } catch (e) { + console.error(`Failed to update last access for session: ${e}`); + } } return true;