budibase/packages/backend-core/src/security/sessions.ts

const redis = require("../redis/init")
const { v4: uuidv4 } = require("uuid")
const { logWarn } = require("../logging")
const env = require("../environment")

interface CreateSession {
  sessionId: string
  tenantId: string
  csrfToken?: string
}

interface Session extends CreateSession {
  userId: string
  lastAccessedAt: string
  createdAt: string
  // make optional attributes required
  csrfToken: string
}

interface SessionKey {
  key: string
}

interface ScannedSession {
  value: Session
}

// a week in seconds
const EXPIRY_SECONDS = 86400 * 7

function makeSessionID(userId: string, sessionId: string) {
  return `${userId}/${sessionId}`
}

export async function getSessionsForUser(userId: string): Promise<Session[]> {
  if (!userId) {
    console.trace("Cannot get sessions for undefined userId")
    return []
  }
  const client = await redis.getSessionClient()
  const sessions: ScannedSession[] = await client.scan(userId)
  return sessions.map(session => session.value)
}

export async function invalidateSessions(
  userId: string,
  opts: { sessionIds?: string[]; reason?: string } = {}
) {
  try {
    const reason = opts?.reason || "unknown"
    let sessionIds: string[] = opts.sessionIds || []
    let sessionKeys: SessionKey[]

    // If no sessionIds, get all the sessions for the user
    if (sessionIds.length === 0) {
      const sessions = await getSessionsForUser(userId)
      sessionKeys = sessions.map(session => ({
        key: makeSessionID(session.userId, session.sessionId),
      }))
    } else {
      // use the passed array of sessionIds
      sessionIds = Array.isArray(sessionIds) ? sessionIds : [sessionIds]
      sessionKeys = sessionIds.map(sessionId => ({
        key: makeSessionID(userId, sessionId),
      }))
    }

    if (sessionKeys && sessionKeys.length > 0) {
      const client = await redis.getSessionClient()
      const promises = []
      for (let sessionKey of sessionKeys) {
        promises.push(client.delete(sessionKey.key))
      }
      if (!env.isTest()) {
        logWarn(
          `Invalidating sessions for ${userId} (reason: ${reason}) - ${sessionKeys
            .map(sessionKey => sessionKey.key)
            .join(", ")}`
        )
      }
      await Promise.all(promises)
    }
  } catch (err) {
    console.error(`Error invalidating sessions: ${err}`)
  }
}

export async function createASession(
  userId: string,
  createSession: CreateSession
) {
  // invalidate all other sessions
  await invalidateSessions(userId, { reason: "creation" })

  const client = await redis.getSessionClient()
  const sessionId = createSession.sessionId
  const csrfToken = createSession.csrfToken ? createSession.csrfToken : uuidv4()
  const key = makeSessionID(userId, sessionId)

  const session: Session = {
    ...createSession,
    csrfToken,
    createdAt: new Date().toISOString(),
    lastAccessedAt: new Date().toISOString(),
    userId,
  }
  await client.store(key, session, EXPIRY_SECONDS)
}

export async function updateSessionTTL(session: Session) {
  const client = await redis.getSessionClient()
  const key = makeSessionID(session.userId, session.sessionId)
  session.lastAccessedAt = new Date().toISOString()
  await client.store(key, session, EXPIRY_SECONDS)
}

export async function endSession(userId: string, sessionId: string) {
  const client = await redis.getSessionClient()
  await client.delete(makeSessionID(userId, sessionId))
}

export async function getSession(
  userId: string,
  sessionId: string
): Promise<Session> {
  if (!userId || !sessionId) {
    throw new Error(`Invalid session details - ${userId} - ${sessionId}`)
  }
  const client = await redis.getSessionClient()
  const session = await client.get(makeSessionID(userId, sessionId))
  if (!session) {
    throw new Error(`Session not found - ${userId} - ${sessionId}`)
  }
  return session
}
Updating redis to use typescript and adding the option of a writethrough cache which can be used, by passing a DB and a value to be written + a delay for writes. 2022-06-23 21:22:51 +02:00			`const redis = require("../redis/init")`
Add CSRF Token 2022-01-25 23:54:50 +01:00			`const { v4: uuidv4 } = require("uuid")`
Adding logging for session invalidation. 2022-08-04 17:06:59 +02:00			`const { logWarn } = require("../logging")`
Some more logging, moving middlewares to backend-core. 2022-08-04 20:03:50 +02:00			`const env = require("../environment")`
WIP - first version of user sessions. 2021-07-06 19:10:04 +02:00
update bulk create and bulk delete backend 2022-08-25 20:41:47 +02:00			`interface CreateSession {`
Updating sessions to TS, adding env var to set the session update length, adding reasons for invalidation, making sure errors are never considered authenticated. 2022-08-05 18:13:03 +02:00			`sessionId: string`
update bulk create and bulk delete backend 2022-08-25 20:41:47 +02:00			`tenantId: string`
			`csrfToken?: string`
			`}`

			`interface Session extends CreateSession {`
			`userId: string`
Updating sessions to TS, adding env var to set the session update length, adding reasons for invalidation, making sure errors are never considered authenticated. 2022-08-05 18:13:03 +02:00			`lastAccessedAt: string`
			`createdAt: string`
update bulk create and bulk delete backend 2022-08-25 20:41:47 +02:00			`// make optional attributes required`
			`csrfToken: string`
Updating sessions to TS, adding env var to set the session update length, adding reasons for invalidation, making sure errors are never considered authenticated. 2022-08-05 18:13:03 +02:00			`}`

update bulk create and bulk delete backend 2022-08-25 20:41:47 +02:00			`interface SessionKey {`
			`key: string`
			`}`

			`interface ScannedSession {`
			`value: Session`
			`}`
Updating sessions to TS, adding env var to set the session update length, adding reasons for invalidation, making sure errors are never considered authenticated. 2022-08-05 18:13:03 +02:00
Extending logout TTL from a day to a week. 2021-12-03 12:17:48 +01:00			`// a week in seconds`
			`const EXPIRY_SECONDS = 86400 * 7`
WIP - first version of user sessions. 2021-07-06 19:10:04 +02:00
Updating sessions to TS, adding env var to set the session update length, adding reasons for invalidation, making sure errors are never considered authenticated. 2022-08-05 18:13:03 +02:00			`function makeSessionID(userId: string, sessionId: string) {`
			return `${userId}/${sessionId}`
WIP - first version of user sessions. 2021-07-06 19:10:04 +02:00			`}`

update bulk create and bulk delete backend 2022-08-25 20:41:47 +02:00			`export async function getSessionsForUser(userId: string): Promise<Session[]> {`
Bulk session wipe fix + logging 2022-08-08 10:34:45 +02:00			`if (!userId) {`
			`console.trace("Cannot get sessions for undefined userId")`
			`return []`
			`}`
Updating sessions to TS, adding env var to set the session update length, adding reasons for invalidation, making sure errors are never considered authenticated. 2022-08-05 18:13:03 +02:00			`const client = await redis.getSessionClient()`
update bulk create and bulk delete backend 2022-08-25 20:41:47 +02:00			`const sessions: ScannedSession[] = await client.scan(userId)`
			`return sessions.map(session => session.value)`
WIP - first version of user sessions. 2021-07-06 19:10:04 +02:00			`}`

Updating sessions to TS, adding env var to set the session update length, adding reasons for invalidation, making sure errors are never considered authenticated. 2022-08-05 18:13:03 +02:00			`export async function invalidateSessions(`
			`userId: string,`
			`opts: { sessionIds?: string[]; reason?: string } = {}`
			`) {`
catch block in invalidate sessions 2022-05-24 23:57:32 +02:00			`try {`
Updating sessions to TS, adding env var to set the session update length, adding reasons for invalidation, making sure errors are never considered authenticated. 2022-08-05 18:13:03 +02:00			`const reason = opts?.reason \|\| "unknown"`
			`let sessionIds: string[] = opts.sessionIds \|\| []`
update bulk create and bulk delete backend 2022-08-25 20:41:47 +02:00			`let sessionKeys: SessionKey[]`
catch block in invalidate sessions 2022-05-24 23:57:32 +02:00
			`// If no sessionIds, get all the sessions for the user`
Some various session fixes based on current data. 2022-08-05 22:35:26 +02:00			`if (sessionIds.length === 0) {`
update bulk create and bulk delete backend 2022-08-25 20:41:47 +02:00			`const sessions = await getSessionsForUser(userId)`
			`sessionKeys = sessions.map(session => ({`
			`key: makeSessionID(session.userId, session.sessionId),`
			`}))`
catch block in invalidate sessions 2022-05-24 23:57:32 +02:00			`} else {`
			`// use the passed array of sessionIds`
Updating sessions to TS, adding env var to set the session update length, adding reasons for invalidation, making sure errors are never considered authenticated. 2022-08-05 18:13:03 +02:00			`sessionIds = Array.isArray(sessionIds) ? sessionIds : [sessionIds]`
update bulk create and bulk delete backend 2022-08-25 20:41:47 +02:00			`sessionKeys = sessionIds.map(sessionId => ({`
catch block in invalidate sessions 2022-05-24 23:57:32 +02:00			`key: makeSessionID(userId, sessionId),`
			`}))`
			`}`

update bulk create and bulk delete backend 2022-08-25 20:41:47 +02:00			`if (sessionKeys && sessionKeys.length > 0) {`
Some more logging, moving middlewares to backend-core. 2022-08-04 20:03:50 +02:00			`const client = await redis.getSessionClient()`
			`const promises = []`
update bulk create and bulk delete backend 2022-08-25 20:41:47 +02:00			`for (let sessionKey of sessionKeys) {`
			`promises.push(client.delete(sessionKey.key))`
Some more logging, moving middlewares to backend-core. 2022-08-04 20:03:50 +02:00			`}`
			`if (!env.isTest()) {`
			`logWarn(`
update bulk create and bulk delete backend 2022-08-25 20:41:47 +02:00			`Invalidating sessions for ${userId} (reason: ${reason}) - ${sessionKeys
			`.map(sessionKey => sessionKey.key)`
Some more logging, moving middlewares to backend-core. 2022-08-04 20:03:50 +02:00			.join(", ")}`
			`)`
			`}`
			`await Promise.all(promises)`
catch block in invalidate sessions 2022-05-24 23:57:32 +02:00			`}`
			`} catch (err) {`
			console.error(`Error invalidating sessions: ${err}`)
WIP - first version of user sessions. 2021-07-06 19:10:04 +02:00			`}`
			`}`

update bulk create and bulk delete backend 2022-08-25 20:41:47 +02:00			`export async function createASession(`
			`userId: string,`
			`createSession: CreateSession`
			`) {`
Refactored the invalidate session functionality. 2022-04-07 13:32:00 +02:00			`// invalidate all other sessions`
Updating sessions to TS, adding env var to set the session update length, adding reasons for invalidation, making sure errors are never considered authenticated. 2022-08-05 18:13:03 +02:00			`await invalidateSessions(userId, { reason: "creation" })`
Refactored the invalidate session functionality. 2022-04-07 13:32:00 +02:00
			`const client = await redis.getSessionClient()`
update bulk create and bulk delete backend 2022-08-25 20:41:47 +02:00			`const sessionId = createSession.sessionId`
			`const csrfToken = createSession.csrfToken ? createSession.csrfToken : uuidv4()`
			`const key = makeSessionID(userId, sessionId)`

			`const session: Session = {`
			`...createSession,`
			`csrfToken,`
Refactored the invalidate session functionality. 2022-04-07 13:32:00 +02:00			`createdAt: new Date().toISOString(),`
			`lastAccessedAt: new Date().toISOString(),`
			`userId,`
			`}`
update bulk create and bulk delete backend 2022-08-25 20:41:47 +02:00			`await client.store(key, session, EXPIRY_SECONDS)`
Refactored the invalidate session functionality. 2022-04-07 13:32:00 +02:00			`}`

Updating sessions to TS, adding env var to set the session update length, adding reasons for invalidation, making sure errors are never considered authenticated. 2022-08-05 18:13:03 +02:00			`export async function updateSessionTTL(session: Session) {`
WIP - first version of user sessions. 2021-07-06 19:10:04 +02:00			`const client = await redis.getSessionClient()`
Adding sessions API. 2021-07-08 00:29:19 +02:00			`const key = makeSessionID(session.userId, session.sessionId)`
Linting. 2021-07-08 00:30:14 +02:00			`session.lastAccessedAt = new Date().toISOString()`
Adding sessions API. 2021-07-08 00:29:19 +02:00			`await client.store(key, session, EXPIRY_SECONDS)`
WIP - first version of user sessions. 2021-07-06 19:10:04 +02:00			`}`

Updating sessions to TS, adding env var to set the session update length, adding reasons for invalidation, making sure errors are never considered authenticated. 2022-08-05 18:13:03 +02:00			`export async function endSession(userId: string, sessionId: string) {`
WIP - first version of user sessions. 2021-07-06 19:10:04 +02:00			`const client = await redis.getSessionClient()`
			`await client.delete(makeSessionID(userId, sessionId))`
			`}`

update bulk create and bulk delete backend 2022-08-25 20:41:47 +02:00			`export async function getSession(`
			`userId: string,`
			`sessionId: string`
			`): Promise<Session> {`
Some various session fixes based on current data. 2022-08-05 22:35:26 +02:00			`if (!userId \|\| !sessionId) {`
			throw new Error(`Invalid session details - ${userId} - ${sessionId}`)
WIP - first version of user sessions. 2021-07-06 19:10:04 +02:00			`}`
			`const client = await redis.getSessionClient()`
Some various session fixes based on current data. 2022-08-05 22:35:26 +02:00			`const session = await client.get(makeSessionID(userId, sessionId))`
			`if (!session) {`
			throw new Error(`Session not found - ${userId} - ${sessionId}`)
			`}`
			`return session`
WIP - first version of user sessions. 2021-07-06 19:10:04 +02:00			`}`