MirrorSave
/
budibase
mirror of https://github.com/Budibase/budibase.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Updating sessions to TS, adding env var to set the session update length, adding reasons for invalidation, making sure errors are never considered authenticated.

This commit is contained in:
mike12345567 2022-08-05 17:13:03 +01:00
parent ba0e423fb9
commit a2f18e2e44
8 changed files with 62 additions and 42 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
packages/backend-core/src/environment.ts
View File

@ -56,6 +56,7 @@ const env = {
SERVICE: process.env.SERVICE || "budibase", SERVICE: process.env.SERVICE || "budibase",
MEMORY_LEAK_CHECK: process.env.MEMORY_LEAK_CHECK || false, MEMORY_LEAK_CHECK: process.env.MEMORY_LEAK_CHECK || false,
LOG_LEVEL: process.env.LOG_LEVEL, LOG_LEVEL: process.env.LOG_LEVEL,
SESSION_UPDATE_PERIOD: process.env.SESSION_UPDATE_PERIOD,
DEPLOYMENT_ENVIRONMENT: DEPLOYMENT_ENVIRONMENT:
process.env.DEPLOYMENT_ENVIRONMENT || "docker-compose", process.env.DEPLOYMENT_ENVIRONMENT || "docker-compose",
_set(key: any, value: any) { _set(key: any, value: any) {

2
packages/backend-core/src/index.ts
View File

@ -9,7 +9,7 @@ import * as installation from "./installation"
import env from "./environment" import env from "./environment"
import tenancy from "./tenancy" import tenancy from "./tenancy"
import featureFlags from "./featureFlags" import featureFlags from "./featureFlags"
import sessions from "./security/sessions" import * as sessions from "./security/sessions"
import deprovisioning from "./context/deprovision" import deprovisioning from "./context/deprovision"
import auth from "./auth" import auth from "./auth"
import constants from "./constants" import constants from "./constants"

8
packages/backend-core/src/middleware/authenticated.ts
View File

@ -11,7 +11,7 @@ import { decrypt } from "../security/encryption"
const identity = require("../context/identity") const identity = require("../context/identity")
const env = require("../environment") const env = require("../environment")
const ONE_MINUTE = 60 * 1000 const ONE_MINUTE = env.SESSION_UPDATE_PERIOD || 60 * 1000
interface FinaliseOpts { interface FinaliseOpts {
authenticated?: boolean authenticated?: boolean
@ -86,9 +86,9 @@ module.exports = (
const authCookie = getCookie(ctx, Cookies.Auth) || openJwt(headerToken) const authCookie = getCookie(ctx, Cookies.Auth) || openJwt(headerToken)
let authenticated = false, let authenticated = false,
user = null, user = null,
internal = false internal = false,
error = null
if (authCookie) { if (authCookie) {
let error = null
const sessionId = authCookie.sessionId const sessionId = authCookie.sessionId
const userId = authCookie.userId const userId = authCookie.userId
@ -144,7 +144,7 @@ module.exports = (
delete user.password delete user.password
} }
// be explicit // be explicit
if (authenticated !== true) { if (error || authenticated !== true) {
authenticated = false authenticated = false
} }
// isAuthenticated is a function, so use a variable to be able to check authed state // isAuthenticated is a function, so use a variable to be able to check authed state

62
packages/backend-core/src/security/sessions.js → packages/backend-core/src/security/sessions.ts
View File

@ -3,34 +3,51 @@ const { v4: uuidv4 } = require("uuid")
const { logWarn } = require("../logging") const { logWarn } = require("../logging")
const env = require("../environment") const env = require("../environment")
interface Session {
key: string
userId: string
sessionId: string
lastAccessedAt: string
createdAt: string
csrfToken?: string
value: string
}
type SessionKey = { key: string }[]
// a week in seconds // a week in seconds
const EXPIRY_SECONDS = 86400 * 7 const EXPIRY_SECONDS = 86400 * 7
async function getSessionsForUser(userId) { function makeSessionID(userId: string, sessionId: string) {
const client = await redis.getSessionClient()
const sessions = await client.scan(userId)
return sessions.map(session => session.value)
}
function makeSessionID(userId, sessionId) {
return `${userId}/${sessionId}` return `${userId}/${sessionId}`
} }
async function invalidateSessions(userId, sessionIds = null) { export async function getSessionsForUser(userId: string) {
const client = await redis.getSessionClient()
const sessions = await client.scan(userId)
return sessions.map((session: Session) => session.value)
}
export async function invalidateSessions(
userId: string,
opts: { sessionIds?: string[]; reason?: string } = {}
) {
try { try {
let sessions = [] const reason = opts?.reason || "unknown"
let sessionIds: string[] = opts.sessionIds || []
let sessions: SessionKey
// If no sessionIds, get all the sessions for the user // If no sessionIds, get all the sessions for the user
if (!sessionIds) { if (!sessionIds) {
sessions = await getSessionsForUser(userId) sessions = await getSessionsForUser(userId)
sessions.forEach( sessions.forEach(
session => (session: any) =>
(session.key = makeSessionID(session.userId, session.sessionId)) (session.key = makeSessionID(session.userId, session.sessionId))
) )
} else { } else {
// use the passed array of sessionIds // use the passed array of sessionIds
sessions = Array.isArray(sessionIds) ? sessionIds : [sessionIds] sessionIds = Array.isArray(sessionIds) ? sessionIds : [sessionIds]
sessions = sessions.map(sessionId => ({ sessions = sessionIds.map((sessionId: string) => ({
key: makeSessionID(userId, sessionId), key: makeSessionID(userId, sessionId),
})) }))
} }
@ -43,7 +60,7 @@ async function invalidateSessions(userId, sessionIds = null) {
} }
if (!env.isTest()) { if (!env.isTest()) {
logWarn( logWarn(
`Invalidating sessions for ${userId} - ${sessions `Invalidating sessions for ${userId} (reason: ${reason}) - ${sessions
.map(session => session.key) .map(session => session.key)
.join(", ")}` .join(", ")}`
) )
@ -55,9 +72,9 @@ async function invalidateSessions(userId, sessionIds = null) {
} }
} }
exports.createASession = async (userId, session) => { export async function createASession(userId: string, session: Session) {
// invalidate all other sessions // invalidate all other sessions
await invalidateSessions(userId) await invalidateSessions(userId, { reason: "creation" })
const client = await redis.getSessionClient() const client = await redis.getSessionClient()
const sessionId = session.sessionId const sessionId = session.sessionId
@ -65,27 +82,27 @@ exports.createASession = async (userId, session) => {
session.csrfToken = uuidv4() session.csrfToken = uuidv4()
} }
session = { session = {
...session,
createdAt: new Date().toISOString(), createdAt: new Date().toISOString(),
lastAccessedAt: new Date().toISOString(), lastAccessedAt: new Date().toISOString(),
...session,
userId, userId,
} }
await client.store(makeSessionID(userId, sessionId), session, EXPIRY_SECONDS) await client.store(makeSessionID(userId, sessionId), session, EXPIRY_SECONDS)
} }
exports.updateSessionTTL = async session => { export async function updateSessionTTL(session: Session) {
const client = await redis.getSessionClient() const client = await redis.getSessionClient()
const key = makeSessionID(session.userId, session.sessionId) const key = makeSessionID(session.userId, session.sessionId)
session.lastAccessedAt = new Date().toISOString() session.lastAccessedAt = new Date().toISOString()
await client.store(key, session, EXPIRY_SECONDS) await client.store(key, session, EXPIRY_SECONDS)
} }
exports.endSession = async (userId, sessionId) => { export async function endSession(userId: string, sessionId: string) {
const client = await redis.getSessionClient() const client = await redis.getSessionClient()
await client.delete(makeSessionID(userId, sessionId)) await client.delete(makeSessionID(userId, sessionId))
} }
exports.getSession = async (userId, sessionId) => { export async function getSession(userId: string, sessionId: string) {
try { try {
const client = await redis.getSessionClient() const client = await redis.getSessionClient()
return client.get(makeSessionID(userId, sessionId)) return client.get(makeSessionID(userId, sessionId))
@ -96,11 +113,8 @@ exports.getSession = async (userId, sessionId) => {
} }
} }
exports.getAllSessions = async () => { export async function getAllSessions() {
const client = await redis.getSessionClient() const client = await redis.getSessionClient()
const sessions = await client.scan() const sessions = await client.scan()
return sessions.map(session => session.value) return sessions.map((session: Session) => session.value)
} }
exports.getUserSessions = getSessionsForUser
exports.invalidateSessions = invalidateSessions

13
packages/backend-core/src/utils.js
View File

@ -10,7 +10,10 @@ const { queryGlobalView } = require("./db/views")
const { Headers, Cookies, MAX_VALID_DATE } = require("./constants") const { Headers, Cookies, MAX_VALID_DATE } = require("./constants")
const env = require("./environment") const env = require("./environment")
const userCache = require("./cache/user") const userCache = require("./cache/user")
const { getUserSessions, invalidateSessions } = require("./security/sessions") const {
getSessionsForUser,
invalidateSessions,
} = require("./security/sessions")
const events = require("./events") const events = require("./events")
const tenancy = require("./tenancy") const tenancy = require("./tenancy")
@ -178,7 +181,7 @@ exports.platformLogout = async ({ ctx, userId, keepActiveSession }) => {
if (!ctx) throw new Error("Koa context must be supplied to logout.") if (!ctx) throw new Error("Koa context must be supplied to logout.")
const currentSession = exports.getCookie(ctx, Cookies.Auth) const currentSession = exports.getCookie(ctx, Cookies.Auth)
let sessions = await getUserSessions(userId) let sessions = await getSessionsForUser(userId)
if (keepActiveSession) { if (keepActiveSession) {
sessions = sessions.filter( sessions = sessions.filter(
@ -190,10 +193,8 @@ exports.platformLogout = async ({ ctx, userId, keepActiveSession }) => {
exports.clearCookie(ctx, Cookies.CurrentApp) exports.clearCookie(ctx, Cookies.CurrentApp)
} }
await invalidateSessions( const sessionIds = sessions.map(({ sessionId }) => sessionId)
userId, await invalidateSessions(userId, { sessionIds, reason: "logout" })
sessions.map(({ sessionId }) => sessionId)
)
await events.auth.logout() await events.auth.logout()
await userCache.invalidateUser(userId) await userCache.invalidateUser(userId)
} }

1
packages/server/src/environment.js
View File

@ -63,6 +63,7 @@ module.exports = {
DISABLE_ACCOUNT_PORTAL: process.env.DISABLE_ACCOUNT_PORTAL, DISABLE_ACCOUNT_PORTAL: process.env.DISABLE_ACCOUNT_PORTAL,
TEMPLATE_REPOSITORY: process.env.TEMPLATE_REPOSITORY || "app", TEMPLATE_REPOSITORY: process.env.TEMPLATE_REPOSITORY || "app",
DISABLE_AUTO_PROD_APP_SYNC: process.env.DISABLE_AUTO_PROD_APP_SYNC, DISABLE_AUTO_PROD_APP_SYNC: process.env.DISABLE_AUTO_PROD_APP_SYNC,
SESSION_UPDATE_PERIOD: process.env.SESSION_UPDATE_PERIOD,
// minor // minor
SALT_ROUNDS: process.env.SALT_ROUNDS, SALT_ROUNDS: process.env.SALT_ROUNDS,
LOGGER: process.env.LOGGER, LOGGER: process.env.LOGGER,

1
packages/worker/src/environment.js
View File

@ -61,6 +61,7 @@ module.exports = {
SMTP_FROM_ADDRESS: process.env.SMTP_FROM_ADDRESS, SMTP_FROM_ADDRESS: process.env.SMTP_FROM_ADDRESS,
// other // other
CHECKLIST_CACHE_TTL: parseIntSafe(process.env.CHECKLIST_CACHE_TTL) || 3600, CHECKLIST_CACHE_TTL: parseIntSafe(process.env.CHECKLIST_CACHE_TTL) || 3600,
SESSION_UPDATE_PERIOD: process.env.SESSION_UPDATE_PERIOD,
_set(key, value) { _set(key, value) {
process.env[key] = value process.env[key] = value
module.exports[key] = value module.exports[key] = value

16
packages/worker/src/sdk/users/users.ts
View File

@ -370,6 +370,7 @@ export const bulkDelete = async (userIds: any) => {
export const destroy = async (id: string, currentUser: any) => { export const destroy = async (id: string, currentUser: any) => {
const db = tenancy.getGlobalDB() const db = tenancy.getGlobalDB()
const dbUser = await db.get(id) const dbUser = await db.get(id)
const userId = dbUser._id as string
let groups = dbUser.userGroups let groups = dbUser.userGroups
if (!env.SELF_HOSTED && !env.DISABLE_ACCOUNT_PORTAL) { if (!env.SELF_HOSTED && !env.DISABLE_ACCOUNT_PORTAL) {
@ -387,7 +388,7 @@ export const destroy = async (id: string, currentUser: any) => {
await deprovisioning.removeUserFromInfoDB(dbUser) await deprovisioning.removeUserFromInfoDB(dbUser)
await db.remove(dbUser._id, dbUser._rev) await db.remove(userId, dbUser._rev)
if (groups) { if (groups) {
await groupUtils.deleteGroupUsers(groups, dbUser) await groupUtils.deleteGroupUsers(groups, dbUser)
@ -395,17 +396,18 @@ export const destroy = async (id: string, currentUser: any) => {
await eventHelpers.handleDeleteEvents(dbUser) await eventHelpers.handleDeleteEvents(dbUser)
await quotas.removeUser(dbUser) await quotas.removeUser(dbUser)
await cache.user.invalidateUser(dbUser._id) await cache.user.invalidateUser(userId)
await sessions.invalidateSessions(dbUser._id) await sessions.invalidateSessions(userId, { reason: "deletion" })
// let server know to sync user // let server know to sync user
await apps.syncUserInApps(dbUser._id) await apps.syncUserInApps(userId)
} }
const bulkDeleteProcessing = async (dbUser: User) => { const bulkDeleteProcessing = async (dbUser: User) => {
const userId = dbUser._id as string
await deprovisioning.removeUserFromInfoDB(dbUser) await deprovisioning.removeUserFromInfoDB(dbUser)
await eventHelpers.handleDeleteEvents(dbUser) await eventHelpers.handleDeleteEvents(dbUser)
await cache.user.invalidateUser(dbUser._id) await cache.user.invalidateUser(userId)
await sessions.invalidateSessions(dbUser._id) await sessions.invalidateSessions(userId, { reason: "bulk-deletion" })
// let server know to sync user // let server know to sync user
await apps.syncUserInApps(dbUser._id) await apps.syncUserInApps(userId)
} }