budibase/packages/backend-core/src/security/sessions.ts

const redis = require("../redis/init")
const { v4: uuidv4 } = require("uuid")
const { logWarn } = require("../logging")
const env = require("../environment")

interface Session {
  key: string
  userId: string
  sessionId: string
  lastAccessedAt: string
  createdAt: string
  csrfToken?: string
  value: string
}

type SessionKey = { key: string }[]

// a week in seconds
const EXPIRY_SECONDS = 86400 * 7

function makeSessionID(userId: string, sessionId: string) {
  return `${userId}/${sessionId}`
}

export async function getSessionsForUser(userId: string) {
  const client = await redis.getSessionClient()
  const sessions = await client.scan(userId)
  return sessions.map((session: Session) => session.value)
}

export async function invalidateSessions(
  userId: string,
  opts: { sessionIds?: string[]; reason?: string } = {}
) {
  try {
    const reason = opts?.reason || "unknown"
    let sessionIds: string[] = opts.sessionIds || []
    let sessions: SessionKey

    // If no sessionIds, get all the sessions for the user
    if (sessionIds.length === 0) {
      sessions = await getSessionsForUser(userId)
      sessions.forEach(
        (session: any) =>
          (session.key = makeSessionID(session.userId, session.sessionId))
      )
    } else {
      // use the passed array of sessionIds
      sessionIds = Array.isArray(sessionIds) ? sessionIds : [sessionIds]
      sessions = sessionIds.map((sessionId: string) => ({
        key: makeSessionID(userId, sessionId),
      }))
    }

    if (sessions && sessions.length > 0) {
      const client = await redis.getSessionClient()
      const promises = []
      for (let session of sessions) {
        promises.push(client.delete(session.key))
      }
      if (!env.isTest()) {
        logWarn(
          `Invalidating sessions for ${userId} (reason: ${reason}) - ${sessions
            .map(session => session.key)
            .join(", ")}`
        )
      }
      await Promise.all(promises)
    }
  } catch (err) {
    console.error(`Error invalidating sessions: ${err}`)
  }
}

export async function createASession(userId: string, session: Session) {
  // invalidate all other sessions
  await invalidateSessions(userId, { reason: "creation" })

  const client = await redis.getSessionClient()
  const sessionId = session.sessionId
  if (!session.csrfToken) {
    session.csrfToken = uuidv4()
  }
  session = {
    ...session,
    createdAt: new Date().toISOString(),
    lastAccessedAt: new Date().toISOString(),
    userId,
  }
  await client.store(makeSessionID(userId, sessionId), session, EXPIRY_SECONDS)
}

export async function updateSessionTTL(session: Session) {
  const client = await redis.getSessionClient()
  const key = makeSessionID(session.userId, session.sessionId)
  session.lastAccessedAt = new Date().toISOString()
  await client.store(key, session, EXPIRY_SECONDS)
}

export async function endSession(userId: string, sessionId: string) {
  const client = await redis.getSessionClient()
  await client.delete(makeSessionID(userId, sessionId))
}

export async function getSession(userId: string, sessionId: string) {
  if (!userId || !sessionId) {
    throw new Error(`Invalid session details - ${userId} - ${sessionId}`)
  }
  const client = await redis.getSessionClient()
  const session = await client.get(makeSessionID(userId, sessionId))
  if (!session) {
    throw new Error(`Session not found - ${userId} - ${sessionId}`)
  }
  return session
}
Updating redis to use typescript and adding the option of a writethrough cache which can be used, by passing a DB and a value to be written + a delay for writes. 2022-06-24 07:22:51 +12:00			`const redis = require("../redis/init")`
Add CSRF Token 2022-01-26 11:54:50 +13:00			`const { v4: uuidv4 } = require("uuid")`
Adding logging for session invalidation. 2022-08-05 03:06:59 +12:00			`const { logWarn } = require("../logging")`
Some more logging, moving middlewares to backend-core. 2022-08-05 06:03:50 +12:00			`const env = require("../environment")`
WIP - first version of user sessions. 2021-07-07 05:10:04 +12:00
Updating sessions to TS, adding env var to set the session update length, adding reasons for invalidation, making sure errors are never considered authenticated. 2022-08-06 04:13:03 +12:00			`interface Session {`
			`key: string`
			`userId: string`
			`sessionId: string`
			`lastAccessedAt: string`
			`createdAt: string`
			`csrfToken?: string`
			`value: string`
			`}`

			`type SessionKey = { key: string }[]`

Extending logout TTL from a day to a week. 2021-12-04 00:17:48 +13:00			`// a week in seconds`
			`const EXPIRY_SECONDS = 86400 * 7`
WIP - first version of user sessions. 2021-07-07 05:10:04 +12:00
Updating sessions to TS, adding env var to set the session update length, adding reasons for invalidation, making sure errors are never considered authenticated. 2022-08-06 04:13:03 +12:00			`function makeSessionID(userId: string, sessionId: string) {`
			return `${userId}/${sessionId}`
WIP - first version of user sessions. 2021-07-07 05:10:04 +12:00			`}`

Updating sessions to TS, adding env var to set the session update length, adding reasons for invalidation, making sure errors are never considered authenticated. 2022-08-06 04:13:03 +12:00			`export async function getSessionsForUser(userId: string) {`
			`const client = await redis.getSessionClient()`
			`const sessions = await client.scan(userId)`
			`return sessions.map((session: Session) => session.value)`
WIP - first version of user sessions. 2021-07-07 05:10:04 +12:00			`}`

Updating sessions to TS, adding env var to set the session update length, adding reasons for invalidation, making sure errors are never considered authenticated. 2022-08-06 04:13:03 +12:00			`export async function invalidateSessions(`
			`userId: string,`
			`opts: { sessionIds?: string[]; reason?: string } = {}`
			`) {`
catch block in invalidate sessions 2022-05-25 09:57:32 +12:00			`try {`
Updating sessions to TS, adding env var to set the session update length, adding reasons for invalidation, making sure errors are never considered authenticated. 2022-08-06 04:13:03 +12:00			`const reason = opts?.reason \|\| "unknown"`
			`let sessionIds: string[] = opts.sessionIds \|\| []`
			`let sessions: SessionKey`
catch block in invalidate sessions 2022-05-25 09:57:32 +12:00
			`// If no sessionIds, get all the sessions for the user`
Some various session fixes based on current data. 2022-08-06 08:35:26 +12:00			`if (sessionIds.length === 0) {`
catch block in invalidate sessions 2022-05-25 09:57:32 +12:00			`sessions = await getSessionsForUser(userId)`
			`sessions.forEach(`
Updating sessions to TS, adding env var to set the session update length, adding reasons for invalidation, making sure errors are never considered authenticated. 2022-08-06 04:13:03 +12:00			`(session: any) =>`
catch block in invalidate sessions 2022-05-25 09:57:32 +12:00			`(session.key = makeSessionID(session.userId, session.sessionId))`
			`)`
			`} else {`
			`// use the passed array of sessionIds`
Updating sessions to TS, adding env var to set the session update length, adding reasons for invalidation, making sure errors are never considered authenticated. 2022-08-06 04:13:03 +12:00			`sessionIds = Array.isArray(sessionIds) ? sessionIds : [sessionIds]`
			`sessions = sessionIds.map((sessionId: string) => ({`
catch block in invalidate sessions 2022-05-25 09:57:32 +12:00			`key: makeSessionID(userId, sessionId),`
			`}))`
			`}`

Some more logging, moving middlewares to backend-core. 2022-08-05 06:03:50 +12:00			`if (sessions && sessions.length > 0) {`
			`const client = await redis.getSessionClient()`
			`const promises = []`
			`for (let session of sessions) {`
			`promises.push(client.delete(session.key))`
			`}`
			`if (!env.isTest()) {`
			`logWarn(`
Updating sessions to TS, adding env var to set the session update length, adding reasons for invalidation, making sure errors are never considered authenticated. 2022-08-06 04:13:03 +12:00			`Invalidating sessions for ${userId} (reason: ${reason}) - ${sessions
Some more logging, moving middlewares to backend-core. 2022-08-05 06:03:50 +12:00			`.map(session => session.key)`
			.join(", ")}`
			`)`
			`}`
			`await Promise.all(promises)`
catch block in invalidate sessions 2022-05-25 09:57:32 +12:00			`}`
			`} catch (err) {`
			console.error(`Error invalidating sessions: ${err}`)
WIP - first version of user sessions. 2021-07-07 05:10:04 +12:00			`}`
			`}`

Updating sessions to TS, adding env var to set the session update length, adding reasons for invalidation, making sure errors are never considered authenticated. 2022-08-06 04:13:03 +12:00			`export async function createASession(userId: string, session: Session) {`
Refactored the invalidate session functionality. 2022-04-07 23:32:00 +12:00			`// invalidate all other sessions`
Updating sessions to TS, adding env var to set the session update length, adding reasons for invalidation, making sure errors are never considered authenticated. 2022-08-06 04:13:03 +12:00			`await invalidateSessions(userId, { reason: "creation" })`
Refactored the invalidate session functionality. 2022-04-07 23:32:00 +12:00
			`const client = await redis.getSessionClient()`
			`const sessionId = session.sessionId`
			`if (!session.csrfToken) {`
			`session.csrfToken = uuidv4()`
			`}`
			`session = {`
Updating sessions to TS, adding env var to set the session update length, adding reasons for invalidation, making sure errors are never considered authenticated. 2022-08-06 04:13:03 +12:00			`...session,`
Refactored the invalidate session functionality. 2022-04-07 23:32:00 +12:00			`createdAt: new Date().toISOString(),`
			`lastAccessedAt: new Date().toISOString(),`
			`userId,`
			`}`
			`await client.store(makeSessionID(userId, sessionId), session, EXPIRY_SECONDS)`
			`}`

Updating sessions to TS, adding env var to set the session update length, adding reasons for invalidation, making sure errors are never considered authenticated. 2022-08-06 04:13:03 +12:00			`export async function updateSessionTTL(session: Session) {`
WIP - first version of user sessions. 2021-07-07 05:10:04 +12:00			`const client = await redis.getSessionClient()`
Adding sessions API. 2021-07-08 10:29:19 +12:00			`const key = makeSessionID(session.userId, session.sessionId)`
Linting. 2021-07-08 10:30:14 +12:00			`session.lastAccessedAt = new Date().toISOString()`
Adding sessions API. 2021-07-08 10:29:19 +12:00			`await client.store(key, session, EXPIRY_SECONDS)`
WIP - first version of user sessions. 2021-07-07 05:10:04 +12:00			`}`

Updating sessions to TS, adding env var to set the session update length, adding reasons for invalidation, making sure errors are never considered authenticated. 2022-08-06 04:13:03 +12:00			`export async function endSession(userId: string, sessionId: string) {`
WIP - first version of user sessions. 2021-07-07 05:10:04 +12:00			`const client = await redis.getSessionClient()`
			`await client.delete(makeSessionID(userId, sessionId))`
			`}`

Updating sessions to TS, adding env var to set the session update length, adding reasons for invalidation, making sure errors are never considered authenticated. 2022-08-06 04:13:03 +12:00			`export async function getSession(userId: string, sessionId: string) {`
Some various session fixes based on current data. 2022-08-06 08:35:26 +12:00			`if (!userId \|\| !sessionId) {`
			throw new Error(`Invalid session details - ${userId} - ${sessionId}`)
WIP - first version of user sessions. 2021-07-07 05:10:04 +12:00			`}`
			`const client = await redis.getSessionClient()`
Some various session fixes based on current data. 2022-08-06 08:35:26 +12:00			`const session = await client.get(makeSessionID(userId, sessionId))`
			`if (!session) {`
			throw new Error(`Session not found - ${userId} - ${sessionId}`)
			`}`
			`return session`
WIP - first version of user sessions. 2021-07-07 05:10:04 +12:00			`}`