From f4557fb220c75db794dd08f622131d5470051f60 Mon Sep 17 00:00:00 2001 From: Maurits Lourens Date: Tue, 29 Mar 2022 10:06:54 +0200 Subject: [PATCH 1/2] invalidate sessions before login --- packages/backend-core/src/middleware/passport/local.js | 8 +++++++- .../src/middleware/passport/third-party-common.js | 8 +++++++- 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/packages/backend-core/src/middleware/passport/local.js b/packages/backend-core/src/middleware/passport/local.js index 2149bd3e18..f3921bea51 100644 --- a/packages/backend-core/src/middleware/passport/local.js +++ b/packages/backend-core/src/middleware/passport/local.js @@ -5,7 +5,10 @@ const env = require("../../environment") const { getGlobalUserByEmail } = require("../../utils") const { authError } = require("./utils") const { newid } = require("../../hashing") -const { createASession } = require("../../security/sessions") +const { + createASession, + invalidateSessions, +} = require("../../security/sessions") const { getTenantId } = require("../../tenancy") const INVALID_ERR = "Invalid credentials" @@ -53,6 +56,9 @@ exports.authenticate = async function (ctx, email, password, done) { // authenticate if (await compare(password, dbUser.password)) { + // invalidate all other sessions + await invalidateSessions(dbUser._id) + const sessionId = newid() const tenantId = getTenantId() await createASession(dbUser._id, { sessionId, tenantId }) diff --git a/packages/backend-core/src/middleware/passport/third-party-common.js b/packages/backend-core/src/middleware/passport/third-party-common.js index b467c0b10b..32be3f474a 100644 --- a/packages/backend-core/src/middleware/passport/third-party-common.js +++ b/packages/backend-core/src/middleware/passport/third-party-common.js @@ -4,7 +4,10 @@ const { generateGlobalUserID } = require("../../db/utils") const { saveUser } = require("../../utils") const { authError } = require("./utils") const { newid } = require("../../hashing") -const { createASession } = require("../../security/sessions") +const { + createASession, + invalidateSessions, +} = require("../../security/sessions") const { getGlobalUserByEmail } = require("../../utils") const { getGlobalDB, getTenantId } = require("../../tenancy") const fetch = require("node-fetch") @@ -76,6 +79,9 @@ exports.authenticateThirdParty = async function ( // never prompt for password reset dbUser.forceResetPassword = false + // invalidate all other sessions + await invalidateSessions(dbUser._id) + // create or sync the user let response try { From 9faaecb57e7da537deff28f6e56227bc8b07bbf5 Mon Sep 17 00:00:00 2001 From: Maurits Lourens Date: Tue, 29 Mar 2022 11:59:16 +0200 Subject: [PATCH 2/2] move invalidation to the creation of a session --- packages/backend-core/src/middleware/passport/local.js | 8 +------- .../src/middleware/passport/third-party-common.js | 8 +------- packages/backend-core/src/security/sessions.js | 3 +++ 3 files changed, 5 insertions(+), 14 deletions(-) diff --git a/packages/backend-core/src/middleware/passport/local.js b/packages/backend-core/src/middleware/passport/local.js index f3921bea51..2149bd3e18 100644 --- a/packages/backend-core/src/middleware/passport/local.js +++ b/packages/backend-core/src/middleware/passport/local.js @@ -5,10 +5,7 @@ const env = require("../../environment") const { getGlobalUserByEmail } = require("../../utils") const { authError } = require("./utils") const { newid } = require("../../hashing") -const { - createASession, - invalidateSessions, -} = require("../../security/sessions") +const { createASession } = require("../../security/sessions") const { getTenantId } = require("../../tenancy") const INVALID_ERR = "Invalid credentials" @@ -56,9 +53,6 @@ exports.authenticate = async function (ctx, email, password, done) { // authenticate if (await compare(password, dbUser.password)) { - // invalidate all other sessions - await invalidateSessions(dbUser._id) - const sessionId = newid() const tenantId = getTenantId() await createASession(dbUser._id, { sessionId, tenantId }) diff --git a/packages/backend-core/src/middleware/passport/third-party-common.js b/packages/backend-core/src/middleware/passport/third-party-common.js index 32be3f474a..b467c0b10b 100644 --- a/packages/backend-core/src/middleware/passport/third-party-common.js +++ b/packages/backend-core/src/middleware/passport/third-party-common.js @@ -4,10 +4,7 @@ const { generateGlobalUserID } = require("../../db/utils") const { saveUser } = require("../../utils") const { authError } = require("./utils") const { newid } = require("../../hashing") -const { - createASession, - invalidateSessions, -} = require("../../security/sessions") +const { createASession } = require("../../security/sessions") const { getGlobalUserByEmail } = require("../../utils") const { getGlobalDB, getTenantId } = require("../../tenancy") const fetch = require("node-fetch") @@ -79,9 +76,6 @@ exports.authenticateThirdParty = async function ( // never prompt for password reset dbUser.forceResetPassword = false - // invalidate all other sessions - await invalidateSessions(dbUser._id) - // create or sync the user let response try { diff --git a/packages/backend-core/src/security/sessions.js b/packages/backend-core/src/security/sessions.js index bbe6be299d..cd0405c0c9 100644 --- a/packages/backend-core/src/security/sessions.js +++ b/packages/backend-core/src/security/sessions.js @@ -15,6 +15,9 @@ function makeSessionID(userId, sessionId) { } exports.createASession = async (userId, session) => { + // invalidate all other sessions + await this.invalidateSessions(userId) + const client = await redis.getSessionClient() const sessionId = session.sessionId if (!session.csrfToken) {