move invalidation to the creation of a session

2022-03-29 11:59:16 +02:00 · 2022-03-29 11:59:16 +02:00 · 5f91841a26
parent 65b3561244
commit 5f91841a26
3 changed files with 5 additions and 14 deletions
--- a/packages/backend-core/src/middleware/passport/local.js
+++ b/packages/backend-core/src/middleware/passport/local.js
@ -5,10 +5,7 @@ const env = require("../../environment")
 const { getGlobalUserByEmail } = require("../../utils")
 const { authError } = require("./utils")
 const { newid } = require("../../hashing")
-const {
-  createASession,
-  invalidateSessions,
-} = require("../../security/sessions")
+const { createASession } = require("../../security/sessions")
 const { getTenantId } = require("../../tenancy")

 const INVALID_ERR = "Invalid credentials"
@ -56,9 +53,6 @@ exports.authenticate = async function (ctx, email, password, done) {

  // authenticate
  if (await compare(password, dbUser.password)) {
-    // invalidate all other sessions
-    await invalidateSessions(dbUser._id)
-
    const sessionId = newid()
    const tenantId = getTenantId()
    await createASession(dbUser._id, { sessionId, tenantId })
--- a/packages/backend-core/src/middleware/passport/third-party-common.js
+++ b/packages/backend-core/src/middleware/passport/third-party-common.js
@ -4,10 +4,7 @@ const { generateGlobalUserID } = require("../../db/utils")
 const { saveUser } = require("../../utils")
 const { authError } = require("./utils")
 const { newid } = require("../../hashing")
-const {
-  createASession,
-  invalidateSessions,
-} = require("../../security/sessions")
+const { createASession } = require("../../security/sessions")
 const { getGlobalUserByEmail } = require("../../utils")
 const { getGlobalDB, getTenantId } = require("../../tenancy")
 const fetch = require("node-fetch")
@ -79,9 +76,6 @@ exports.authenticateThirdParty = async function (
  // never prompt for password reset
  dbUser.forceResetPassword = false

-  // invalidate all other sessions
-  await invalidateSessions(dbUser._id)
-
  // create or sync the user
  let response
  try {
--- a/packages/backend-core/src/security/sessions.js
+++ b/packages/backend-core/src/security/sessions.js
@ -15,6 +15,9 @@ function makeSessionID(userId, sessionId) {
 }

 exports.createASession = async (userId, session) => {
+  // invalidate all other sessions
+  await this.invalidateSessions(userId)
+
  const client = await redis.getSessionClient()
  const sessionId = session.sessionId
  if (!session.csrfToken) {