budibase/packages/backend-core/src/security/sessions.ts

import * as redis from "../redis/init"
import { v4 as uuidv4 } from "uuid"
import { logWarn } from "../logging"
import env from "../environment"
import { Duration } from "../utils"
import {
  Session,
  ScannedSession,
  SessionKey,
  CreateSession,
} from "@budibase/types"

// a week expiry is the default
const EXPIRY_SECONDS = env.SESSION_EXPIRY_SECONDS
  ? parseInt(env.SESSION_EXPIRY_SECONDS)
  : Duration.fromDays(7).toSeconds()

function makeSessionID(userId: string, sessionId: string) {
  return `${userId}/${sessionId}`
}

export async function getSessionsForUser(userId: string): Promise<Session[]> {
  if (!userId) {
    console.trace("Cannot get sessions for undefined userId")
    return []
  }
  const client = await redis.getSessionClient()
  const sessions: ScannedSession[] = await client.scan(userId)
  return sessions.map(session => session.value)
}

export async function invalidateSessions(
  userId: string,
  opts: { sessionIds?: string[]; reason?: string } = {}
) {
  try {
    const reason = opts?.reason || "unknown"
    let sessionIds: string[] = opts.sessionIds || []
    let sessionKeys: SessionKey[]

    // If no sessionIds, get all the sessions for the user
    if (sessionIds.length === 0) {
      const sessions = await getSessionsForUser(userId)
      sessionKeys = sessions.map(session => ({
        key: makeSessionID(session.userId, session.sessionId),
      }))
    } else {
      // use the passed array of sessionIds
      sessionIds = Array.isArray(sessionIds) ? sessionIds : [sessionIds]
      sessionKeys = sessionIds.map(sessionId => ({
        key: makeSessionID(userId, sessionId),
      }))
    }

    if (sessionKeys && sessionKeys.length > 0) {
      const client = await redis.getSessionClient()
      const promises = []
      for (let sessionKey of sessionKeys) {
        promises.push(client.delete(sessionKey.key))
      }
      if (!env.isTest()) {
        logWarn(
          `Invalidating sessions for ${userId} (reason: ${reason}) - ${sessionKeys
            .map(sessionKey => sessionKey.key)
            .join(", ")}`
        )
      }
      await Promise.all(promises)
    }
  } catch (err) {
    console.error(`Error invalidating sessions: ${err}`)
  }
}

export async function createASession(
  userId: string,
  createSession: CreateSession
) {
  // invalidate all other sessions
  await invalidateSessions(userId, { reason: "creation" })

  const client = await redis.getSessionClient()
  const sessionId = createSession.sessionId
  const csrfToken = createSession.csrfToken ? createSession.csrfToken : uuidv4()
  const key = makeSessionID(userId, sessionId)

  const session: Session = {
    ...createSession,
    csrfToken,
    createdAt: new Date().toISOString(),
    lastAccessedAt: new Date().toISOString(),
    userId,
  }
  await client.store(key, session, EXPIRY_SECONDS)
  return session
}

export async function updateSessionTTL(session: Session) {
  const client = await redis.getSessionClient()
  const key = makeSessionID(session.userId, session.sessionId)
  session.lastAccessedAt = new Date().toISOString()
  await client.store(key, session, EXPIRY_SECONDS)
}

export async function endSession(userId: string, sessionId: string) {
  const client = await redis.getSessionClient()
  await client.delete(makeSessionID(userId, sessionId))
}

export async function getSession(
  userId: string,
  sessionId: string
): Promise<Session> {
  if (!userId || !sessionId) {
    throw new Error(`Invalid session details - ${userId} - ${sessionId}`)
  }
  const client = await redis.getSessionClient()
  const session = await client.get(makeSessionID(userId, sessionId))
  if (!session) {
    throw new Error(`Session not found - ${userId} - ${sessionId}`)
  }
  return session
}
Adding a 'SESSION_EXPIRY_SECONDS' environment variable which can be set on the services to configure how long before an idle user is logged out. 2024-01-26 05:22:39 +13:00			`import * as redis from "../redis/init"`
			`import { v4 as uuidv4 } from "uuid"`
			`import { logWarn } from "../logging"`
Replace ts-jest with swc/jest (#9289) - Add swc dependencies - Add transform change to jest.config.ts - Replace `export =` with `export default` in src code to enable code coverage to work with swc transformer - Restructure backend-core errors package to allow for exporting error classes with ESM syntax - Update backend-core to no longer use `export =`, export individual packages instead of replacing with `export default` for backwards compatibility - Update event publishers to use `export default` - this was required for the `jest.spyOn` usage inside backend-core common mocks - Restructure some jest.mock usages where declaring the jest.fn as a variable outside of the package mock threw an error 2023-01-11 22:37:37 +13:00			`import env from "../environment"`
Adding a 'SESSION_EXPIRY_SECONDS' environment variable which can be set on the services to configure how long before an idle user is logged out. 2024-01-26 05:22:39 +13:00			`import { Duration } from "../utils"`
Day pass middleware 2022-09-06 23:25:57 +12:00			`import {`
			`Session,`
			`ScannedSession,`
			`SessionKey,`
			`CreateSession,`
			`} from "@budibase/types"`
Updating sessions to TS, adding env var to set the session update length, adding reasons for invalidation, making sure errors are never considered authenticated. 2022-08-06 04:13:03 +12:00
Adding a 'SESSION_EXPIRY_SECONDS' environment variable which can be set on the services to configure how long before an idle user is logged out. 2024-01-26 05:22:39 +13:00			`// a week expiry is the default`
			`const EXPIRY_SECONDS = env.SESSION_EXPIRY_SECONDS`
			`? parseInt(env.SESSION_EXPIRY_SECONDS)`
			`: Duration.fromDays(7).toSeconds()`
WIP - first version of user sessions. 2021-07-07 05:10:04 +12:00
Updating sessions to TS, adding env var to set the session update length, adding reasons for invalidation, making sure errors are never considered authenticated. 2022-08-06 04:13:03 +12:00			`function makeSessionID(userId: string, sessionId: string) {`
			return `${userId}/${sessionId}`
WIP - first version of user sessions. 2021-07-07 05:10:04 +12:00			`}`

update bulk create and bulk delete backend 2022-08-26 06:41:47 +12:00			`export async function getSessionsForUser(userId: string): Promise<Session[]> {`
Bulk session wipe fix + logging 2022-08-08 20:34:45 +12:00			`if (!userId) {`
			`console.trace("Cannot get sessions for undefined userId")`
			`return []`
			`}`
Updating sessions to TS, adding env var to set the session update length, adding reasons for invalidation, making sure errors are never considered authenticated. 2022-08-06 04:13:03 +12:00			`const client = await redis.getSessionClient()`
update bulk create and bulk delete backend 2022-08-26 06:41:47 +12:00			`const sessions: ScannedSession[] = await client.scan(userId)`
			`return sessions.map(session => session.value)`
WIP - first version of user sessions. 2021-07-07 05:10:04 +12:00			`}`

Updating sessions to TS, adding env var to set the session update length, adding reasons for invalidation, making sure errors are never considered authenticated. 2022-08-06 04:13:03 +12:00			`export async function invalidateSessions(`
			`userId: string,`
			`opts: { sessionIds?: string[]; reason?: string } = {}`
			`) {`
catch block in invalidate sessions 2022-05-25 09:57:32 +12:00			`try {`
Updating sessions to TS, adding env var to set the session update length, adding reasons for invalidation, making sure errors are never considered authenticated. 2022-08-06 04:13:03 +12:00			`const reason = opts?.reason \|\| "unknown"`
			`let sessionIds: string[] = opts.sessionIds \|\| []`
update bulk create and bulk delete backend 2022-08-26 06:41:47 +12:00			`let sessionKeys: SessionKey[]`
catch block in invalidate sessions 2022-05-25 09:57:32 +12:00
			`// If no sessionIds, get all the sessions for the user`
Some various session fixes based on current data. 2022-08-06 08:35:26 +12:00			`if (sessionIds.length === 0) {`
update bulk create and bulk delete backend 2022-08-26 06:41:47 +12:00			`const sessions = await getSessionsForUser(userId)`
			`sessionKeys = sessions.map(session => ({`
			`key: makeSessionID(session.userId, session.sessionId),`
			`}))`
catch block in invalidate sessions 2022-05-25 09:57:32 +12:00			`} else {`
			`// use the passed array of sessionIds`
Updating sessions to TS, adding env var to set the session update length, adding reasons for invalidation, making sure errors are never considered authenticated. 2022-08-06 04:13:03 +12:00			`sessionIds = Array.isArray(sessionIds) ? sessionIds : [sessionIds]`
update bulk create and bulk delete backend 2022-08-26 06:41:47 +12:00			`sessionKeys = sessionIds.map(sessionId => ({`
catch block in invalidate sessions 2022-05-25 09:57:32 +12:00			`key: makeSessionID(userId, sessionId),`
			`}))`
			`}`

update bulk create and bulk delete backend 2022-08-26 06:41:47 +12:00			`if (sessionKeys && sessionKeys.length > 0) {`
Some more logging, moving middlewares to backend-core. 2022-08-05 06:03:50 +12:00			`const client = await redis.getSessionClient()`
			`const promises = []`
update bulk create and bulk delete backend 2022-08-26 06:41:47 +12:00			`for (let sessionKey of sessionKeys) {`
			`promises.push(client.delete(sessionKey.key))`
Some more logging, moving middlewares to backend-core. 2022-08-05 06:03:50 +12:00			`}`
			`if (!env.isTest()) {`
			`logWarn(`
update bulk create and bulk delete backend 2022-08-26 06:41:47 +12:00			`Invalidating sessions for ${userId} (reason: ${reason}) - ${sessionKeys
			`.map(sessionKey => sessionKey.key)`
Some more logging, moving middlewares to backend-core. 2022-08-05 06:03:50 +12:00			.join(", ")}`
			`)`
			`}`
			`await Promise.all(promises)`
catch block in invalidate sessions 2022-05-25 09:57:32 +12:00			`}`
			`} catch (err) {`
			console.error(`Error invalidating sessions: ${err}`)
WIP - first version of user sessions. 2021-07-07 05:10:04 +12:00			`}`
			`}`

update bulk create and bulk delete backend 2022-08-26 06:41:47 +12:00			`export async function createASession(`
			`userId: string,`
			`createSession: CreateSession`
			`) {`
Refactored the invalidate session functionality. 2022-04-07 23:32:00 +12:00			`// invalidate all other sessions`
Updating sessions to TS, adding env var to set the session update length, adding reasons for invalidation, making sure errors are never considered authenticated. 2022-08-06 04:13:03 +12:00			`await invalidateSessions(userId, { reason: "creation" })`
Refactored the invalidate session functionality. 2022-04-07 23:32:00 +12:00
			`const client = await redis.getSessionClient()`
update bulk create and bulk delete backend 2022-08-26 06:41:47 +12:00			`const sessionId = createSession.sessionId`
			`const csrfToken = createSession.csrfToken ? createSession.csrfToken : uuidv4()`
			`const key = makeSessionID(userId, sessionId)`

			`const session: Session = {`
			`...createSession,`
			`csrfToken,`
Refactored the invalidate session functionality. 2022-04-07 23:32:00 +12:00			`createdAt: new Date().toISOString(),`
			`lastAccessedAt: new Date().toISOString(),`
			`userId,`
			`}`
update bulk create and bulk delete backend 2022-08-26 06:41:47 +12:00			`await client.store(key, session, EXPIRY_SECONDS)`
Account portal <-> backend-core fixes 2022-11-23 11:24:45 +13:00			`return session`
Refactored the invalidate session functionality. 2022-04-07 23:32:00 +12:00			`}`

Updating sessions to TS, adding env var to set the session update length, adding reasons for invalidation, making sure errors are never considered authenticated. 2022-08-06 04:13:03 +12:00			`export async function updateSessionTTL(session: Session) {`
WIP - first version of user sessions. 2021-07-07 05:10:04 +12:00			`const client = await redis.getSessionClient()`
Adding sessions API. 2021-07-08 10:29:19 +12:00			`const key = makeSessionID(session.userId, session.sessionId)`
Linting. 2021-07-08 10:30:14 +12:00			`session.lastAccessedAt = new Date().toISOString()`
Adding sessions API. 2021-07-08 10:29:19 +12:00			`await client.store(key, session, EXPIRY_SECONDS)`
WIP - first version of user sessions. 2021-07-07 05:10:04 +12:00			`}`

Updating sessions to TS, adding env var to set the session update length, adding reasons for invalidation, making sure errors are never considered authenticated. 2022-08-06 04:13:03 +12:00			`export async function endSession(userId: string, sessionId: string) {`
WIP - first version of user sessions. 2021-07-07 05:10:04 +12:00			`const client = await redis.getSessionClient()`
			`await client.delete(makeSessionID(userId, sessionId))`
			`}`

update bulk create and bulk delete backend 2022-08-26 06:41:47 +12:00			`export async function getSession(`
			`userId: string,`
			`sessionId: string`
			`): Promise<Session> {`
Some various session fixes based on current data. 2022-08-06 08:35:26 +12:00			`if (!userId \|\| !sessionId) {`
			throw new Error(`Invalid session details - ${userId} - ${sessionId}`)
WIP - first version of user sessions. 2021-07-07 05:10:04 +12:00			`}`
			`const client = await redis.getSessionClient()`
Some various session fixes based on current data. 2022-08-06 08:35:26 +12:00			`const session = await client.get(makeSessionID(userId, sessionId))`
			`if (!session) {`
			throw new Error(`Session not found - ${userId} - ${sessionId}`)
			`}`
			`return session`
WIP - first version of user sessions. 2021-07-07 05:10:04 +12:00			`}`