Merge pull request #7124 from Budibase/fix/various-session-fixes

Further session fixes
This commit is contained in:
Michael Drury 2022-08-05 22:12:28 +01:00 committed by GitHub
commit a36e4eede7
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 42 additions and 52 deletions

View File

@ -84,45 +84,40 @@ module.exports = (
// check the actual user is authenticated first, try header or cookie
const headerToken = ctx.request.headers[Headers.TOKEN]
const authCookie = getCookie(ctx, Cookies.Auth) || openJwt(headerToken)
let authenticated = false,
user = null,
internal = false,
error = null
if (authCookie) {
const sessionId = authCookie.sessionId
const userId = authCookie.userId
const session = await getSession(userId, sessionId)
if (!session) {
error = `Session not found - ${userId} - ${sessionId}`
} else {
try {
if (opts && opts.populateUser) {
user = await getUser(
userId,
session.tenantId,
opts.populateUser(ctx)
)
} else {
user = await getUser(userId, session.tenantId)
}
user.csrfToken = session.csrfToken
authenticated = true
} catch (err) {
error = err
}
}
if (error) {
console.error("Auth Error", error)
// remove the cookie as the user does not exist anymore
clearCookie(ctx, Cookies.Auth)
} else if (session?.lastAccessedAt < timeMinusOneMinute()) {
// make sure we denote that the session is still in use
await updateSessionTTL(session)
}
}
const apiKey = ctx.request.headers[Headers.API_KEY]
const tenantId = ctx.request.headers[Headers.TENANT_ID]
let authenticated = false,
user = null,
internal = false
if (authCookie && !apiKey) {
const sessionId = authCookie.sessionId
const userId = authCookie.userId
let session
try {
// getting session handles error checking (if session exists etc)
session = await getSession(userId, sessionId)
if (opts && opts.populateUser) {
user = await getUser(
userId,
session.tenantId,
opts.populateUser(ctx)
)
} else {
user = await getUser(userId, session.tenantId)
}
user.csrfToken = session.csrfToken
if (session?.lastAccessedAt < timeMinusOneMinute()) {
// make sure we denote that the session is still in use
await updateSessionTTL(session)
}
authenticated = true
} catch (err: any) {
authenticated = false
console.error("Auth Error", err?.message || err)
// remove the cookie as the user does not exist anymore
clearCookie(ctx, Cookies.Auth)
}
}
// this is an internal request, no user made it
if (!authenticated && apiKey) {
const populateUser = opts.populateUser ? opts.populateUser(ctx) : null
@ -144,7 +139,7 @@ module.exports = (
delete user.password
}
// be explicit
if (error || authenticated !== true) {
if (authenticated !== true) {
authenticated = false
}
// isAuthenticated is a function, so use a variable to be able to check authed state

View File

@ -38,7 +38,7 @@ export async function invalidateSessions(
let sessions: SessionKey
// If no sessionIds, get all the sessions for the user
if (!sessionIds) {
if (sessionIds.length === 0) {
sessions = await getSessionsForUser(userId)
sessions.forEach(
(session: any) =>
@ -103,18 +103,13 @@ export async function endSession(userId: string, sessionId: string) {
}
export async function getSession(userId: string, sessionId: string) {
try {
const client = await redis.getSessionClient()
return client.get(makeSessionID(userId, sessionId))
} catch (err) {
// if can't get session don't error, just don't return anything
console.error(err)
return null
if (!userId || !sessionId) {
throw new Error(`Invalid session details - ${userId} - ${sessionId}`)
}
}
export async function getAllSessions() {
const client = await redis.getSessionClient()
const sessions = await client.scan()
return sessions.map((session: Session) => session.value)
const session = await client.get(makeSessionID(userId, sessionId))
if (!session) {
throw new Error(`Session not found - ${userId} - ${sessionId}`)
}
return session
}

View File

@ -278,7 +278,7 @@ exports.outputProcessing = async (table, rows, opts = { squash: true }) => {
for (let [property, column] of Object.entries(table.schema)) {
if (column.type === FieldTypes.ATTACHMENT) {
for (let row of enriched) {
if (row[property] == null || row[property].length === 0) {
if (row[property] == null || !Array.isArray(row[property])) {
continue
}
row[property].forEach(attachment => {