fosrl.pangolin/server/auth/resource.ts

import { encodeHexLowerCase } from "@oslojs/encoding";
import { sha256 } from "@oslojs/crypto/sha2";
import { resourceSessions, ResourceSession } from "@server/db/schema";
import db from "@server/db";
import { eq, and } from "drizzle-orm";

export const SESSION_COOKIE_NAME = "resource_session";
export const SESSION_COOKIE_EXPIRES = 1000 * 60 * 60 * 24 * 30;

export async function createResourceSession(opts: {
    token: string;
    resourceId: number;
    passwordId?: number;
    pincodeId?: number;
}): Promise<ResourceSession> {
    if (!opts.passwordId && !opts.pincodeId) {
        throw new Error(
            "At least one of passwordId or pincodeId must be provided",
        );
    }

    const sessionId = encodeHexLowerCase(
        sha256(new TextEncoder().encode(opts.token)),
    );

    const session: ResourceSession = {
        sessionId: sessionId,
        expiresAt: new Date(Date.now() + SESSION_COOKIE_EXPIRES).getTime(),
        resourceId: opts.resourceId,
        passwordId: opts.passwordId || null,
        pincodeId: opts.pincodeId || null,
    };

    await db.insert(resourceSessions).values(session);

    return session;
}

export async function validateResourceSessionToken(
    token: string,
    resourceId: number,
): Promise<ResourceSessionValidationResult> {
    const sessionId = encodeHexLowerCase(
        sha256(new TextEncoder().encode(token)),
    );
    const result = await db
        .select()
        .from(resourceSessions)
        .where(
            and(
                eq(resourceSessions.sessionId, sessionId),
                eq(resourceSessions.resourceId, resourceId),
            ),
        );

    if (result.length < 1) {
        return { resourceSession: null };
    }

    const resourceSession = result[0];

    if (Date.now() >= resourceSession.expiresAt - SESSION_COOKIE_EXPIRES / 2) {
        resourceSession.expiresAt = new Date(
            Date.now() + SESSION_COOKIE_EXPIRES,
        ).getTime();
        await db
            .update(resourceSessions)
            .set({
                expiresAt: resourceSession.expiresAt,
            })
            .where(eq(resourceSessions.sessionId, resourceSession.sessionId));
    }

    return { resourceSession };
}

export async function invalidateResourceSession(
    sessionId: string,
): Promise<void> {
    await db
        .delete(resourceSessions)
        .where(eq(resourceSessions.sessionId, sessionId));
}

export async function invalidateAllSessions(
    resourceId: number,
    method?: {
        passwordId?: number;
        pincodeId?: number;
    },
): Promise<void> {
    if (method?.passwordId) {
        await db
            .delete(resourceSessions)
            .where(
                and(
                    eq(resourceSessions.resourceId, resourceId),
                    eq(resourceSessions.passwordId, method.passwordId),
                ),
            );
    } else if (method?.pincodeId) {
        await db
            .delete(resourceSessions)
            .where(
                and(
                    eq(resourceSessions.resourceId, resourceId),
                    eq(resourceSessions.pincodeId, method.pincodeId),
                ),
            );
    } else {
        await db
            .delete(resourceSessions)
            .where(eq(resourceSessions.resourceId, resourceId));
    }
}

export function serializeResourceSessionCookie(
    token: string,
    fqdn: string,
    secure: boolean,
): string {
    if (secure) {
        return `${SESSION_COOKIE_NAME}=${token}; HttpOnly; SameSite=Lax; Max-Age=${SESSION_COOKIE_EXPIRES}; Path=/; Secure; Domain=.localhost`;
    } else {
        return `${SESSION_COOKIE_NAME}=${token}; HttpOnly; SameSite=Lax; Max-Age=${SESSION_COOKIE_EXPIRES}; Path=/; Domain=.localhost`;
    }
}

export function createBlankResourceSessionTokenCookie(
    fqdn: string,
    secure: boolean,
): string {
    if (secure) {
        return `${SESSION_COOKIE_NAME}=; HttpOnly; SameSite=Lax; Max-Age=0; Path=/; Secure; Domain=${fqdn}`;
    } else {
        return `${SESSION_COOKIE_NAME}=; HttpOnly; SameSite=Lax; Max-Age=0; Path=/; Domain=${fqdn}`;
    }
}

export type ResourceSessionValidationResult = {
    resourceSession: ResourceSession | null;
};
added initial schema for resource sessions and auth types 2024-11-16 22:41:43 -05:00			`import { encodeHexLowerCase } from "@oslojs/encoding";`
			`import { sha256 } from "@oslojs/crypto/sha2";`
api for set resource password and auth with resource password 2024-11-17 22:44:11 -05:00			`import { resourceSessions, ResourceSession } from "@server/db/schema";`
added initial schema for resource sessions and auth types 2024-11-16 22:41:43 -05:00			`import db from "@server/db";`
			`import { eq, and } from "drizzle-orm";`

			`export const SESSION_COOKIE_NAME = "resource_session";`
			`export const SESSION_COOKIE_EXPIRES = 1000 * 60 * 60 * 24 * 30;`

api for set resource password and auth with resource password 2024-11-17 22:44:11 -05:00			`export async function createResourceSession(opts: {`
			`token: string;`
			`resourceId: number;`
			`passwordId?: number;`
			`pincodeId?: number;`
			`}): Promise<ResourceSession> {`
			`if (!opts.passwordId && !opts.pincodeId) {`
			`throw new Error(`
set resource session cookie in proxy via param 2024-11-23 23:31:22 -05:00			`"At least one of passwordId or pincodeId must be provided",`
api for set resource password and auth with resource password 2024-11-17 22:44:11 -05:00			`);`
			`}`
added initial schema for resource sessions and auth types 2024-11-16 22:41:43 -05:00
			`const sessionId = encodeHexLowerCase(`
set resource session cookie in proxy via param 2024-11-23 23:31:22 -05:00			`sha256(new TextEncoder().encode(opts.token)),`
added initial schema for resource sessions and auth types 2024-11-16 22:41:43 -05:00			`);`
api for set resource password and auth with resource password 2024-11-17 22:44:11 -05:00
added initial schema for resource sessions and auth types 2024-11-16 22:41:43 -05:00			`const session: ResourceSession = {`
			`sessionId: sessionId,`
			`expiresAt: new Date(Date.now() + SESSION_COOKIE_EXPIRES).getTime(),`
api for set resource password and auth with resource password 2024-11-17 22:44:11 -05:00			`resourceId: opts.resourceId,`
			`passwordId: opts.passwordId \|\| null,`
			`pincodeId: opts.pincodeId \|\| null,`
added initial schema for resource sessions and auth types 2024-11-16 22:41:43 -05:00			`};`
api for set resource password and auth with resource password 2024-11-17 22:44:11 -05:00
added initial schema for resource sessions and auth types 2024-11-16 22:41:43 -05:00			`await db.insert(resourceSessions).values(session);`
api for set resource password and auth with resource password 2024-11-17 22:44:11 -05:00
added initial schema for resource sessions and auth types 2024-11-16 22:41:43 -05:00			`return session;`
			`}`

			`export async function validateResourceSessionToken(`
api for set resource password and auth with resource password 2024-11-17 22:44:11 -05:00			`token: string,`
set resource session cookie in proxy via param 2024-11-23 23:31:22 -05:00			`resourceId: number,`
added initial schema for resource sessions and auth types 2024-11-16 22:41:43 -05:00			`): Promise<ResourceSessionValidationResult> {`
			`const sessionId = encodeHexLowerCase(`
set resource session cookie in proxy via param 2024-11-23 23:31:22 -05:00			`sha256(new TextEncoder().encode(token)),`
added initial schema for resource sessions and auth types 2024-11-16 22:41:43 -05:00			`);`
			`const result = await db`
api for set resource password and auth with resource password 2024-11-17 22:44:11 -05:00			`.select()`
added initial schema for resource sessions and auth types 2024-11-16 22:41:43 -05:00			`.from(resourceSessions)`
api for set resource password and auth with resource password 2024-11-17 22:44:11 -05:00			`.where(`
			`and(`
			`eq(resourceSessions.sessionId, sessionId),`
set resource session cookie in proxy via param 2024-11-23 23:31:22 -05:00			`eq(resourceSessions.resourceId, resourceId),`
			`),`
api for set resource password and auth with resource password 2024-11-17 22:44:11 -05:00			`);`

added initial schema for resource sessions and auth types 2024-11-16 22:41:43 -05:00			`if (result.length < 1) {`
api for set resource password and auth with resource password 2024-11-17 22:44:11 -05:00			`return { resourceSession: null };`
added initial schema for resource sessions and auth types 2024-11-16 22:41:43 -05:00			`}`
api for set resource password and auth with resource password 2024-11-17 22:44:11 -05:00
			`const resourceSession = result[0];`

added initial schema for resource sessions and auth types 2024-11-16 22:41:43 -05:00			`if (Date.now() >= resourceSession.expiresAt - SESSION_COOKIE_EXPIRES / 2) {`
			`resourceSession.expiresAt = new Date(`
set resource session cookie in proxy via param 2024-11-23 23:31:22 -05:00			`Date.now() + SESSION_COOKIE_EXPIRES,`
added initial schema for resource sessions and auth types 2024-11-16 22:41:43 -05:00			`).getTime();`
			`await db`
			`.update(resourceSessions)`
			`.set({`
			`expiresAt: resourceSession.expiresAt,`
			`})`
			`.where(eq(resourceSessions.sessionId, resourceSession.sessionId));`
			`}`
api for set resource password and auth with resource password 2024-11-17 22:44:11 -05:00
			`return { resourceSession };`
added initial schema for resource sessions and auth types 2024-11-16 22:41:43 -05:00			`}`

			`export async function invalidateResourceSession(`
set resource session cookie in proxy via param 2024-11-23 23:31:22 -05:00			`sessionId: string,`
added initial schema for resource sessions and auth types 2024-11-16 22:41:43 -05:00			`): Promise<void> {`
			`await db`
			`.delete(resourceSessions)`
			`.where(eq(resourceSessions.sessionId, sessionId));`
			`}`

			`export async function invalidateAllSessions(`
api for set resource password and auth with resource password 2024-11-17 22:44:11 -05:00			`resourceId: number,`
			`method?: {`
			`passwordId?: number;`
			`pincodeId?: number;`
set resource session cookie in proxy via param 2024-11-23 23:31:22 -05:00			`},`
added initial schema for resource sessions and auth types 2024-11-16 22:41:43 -05:00			`): Promise<void> {`
api for set resource password and auth with resource password 2024-11-17 22:44:11 -05:00			`if (method?.passwordId) {`
added initial schema for resource sessions and auth types 2024-11-16 22:41:43 -05:00			`await db`
			`.delete(resourceSessions)`
api for set resource password and auth with resource password 2024-11-17 22:44:11 -05:00			`.where(`
			`and(`
			`eq(resourceSessions.resourceId, resourceId),`
set resource session cookie in proxy via param 2024-11-23 23:31:22 -05:00			`eq(resourceSessions.passwordId, method.passwordId),`
			`),`
api for set resource password and auth with resource password 2024-11-17 22:44:11 -05:00			`);`
			`} else if (method?.pincodeId) {`
added initial schema for resource sessions and auth types 2024-11-16 22:41:43 -05:00			`await db`
			`.delete(resourceSessions)`
			`.where(`
			`and(`
api for set resource password and auth with resource password 2024-11-17 22:44:11 -05:00			`eq(resourceSessions.resourceId, resourceId),`
set resource session cookie in proxy via param 2024-11-23 23:31:22 -05:00			`eq(resourceSessions.pincodeId, method.pincodeId),`
			`),`
added initial schema for resource sessions and auth types 2024-11-16 22:41:43 -05:00			`);`
api for set resource password and auth with resource password 2024-11-17 22:44:11 -05:00			`} else {`
			`await db`
			`.delete(resourceSessions)`
			`.where(eq(resourceSessions.resourceId, resourceId));`
added initial schema for resource sessions and auth types 2024-11-16 22:41:43 -05:00			`}`
			`}`

api for set resource password and auth with resource password 2024-11-17 22:44:11 -05:00			`export function serializeResourceSessionCookie(`
added initial schema for resource sessions and auth types 2024-11-16 22:41:43 -05:00			`token: string,`
			`fqdn: string,`
set resource session cookie in proxy via param 2024-11-23 23:31:22 -05:00			`secure: boolean,`
added initial schema for resource sessions and auth types 2024-11-16 22:41:43 -05:00			`): string {`
			`if (secure) {`
set resource session cookie in proxy via param 2024-11-23 23:31:22 -05:00			return `${SESSION_COOKIE_NAME}=${token}; HttpOnly; SameSite=Lax; Max-Age=${SESSION_COOKIE_EXPIRES}; Path=/; Secure; Domain=.localhost`;
added initial schema for resource sessions and auth types 2024-11-16 22:41:43 -05:00			`} else {`
set resource session cookie in proxy via param 2024-11-23 23:31:22 -05:00			return `${SESSION_COOKIE_NAME}=${token}; HttpOnly; SameSite=Lax; Max-Age=${SESSION_COOKIE_EXPIRES}; Path=/; Domain=.localhost`;
added initial schema for resource sessions and auth types 2024-11-16 22:41:43 -05:00			`}`
			`}`

api for set resource password and auth with resource password 2024-11-17 22:44:11 -05:00			`export function createBlankResourceSessionTokenCookie(`
added initial schema for resource sessions and auth types 2024-11-16 22:41:43 -05:00			`fqdn: string,`
set resource session cookie in proxy via param 2024-11-23 23:31:22 -05:00			`secure: boolean,`
added initial schema for resource sessions and auth types 2024-11-16 22:41:43 -05:00			`): string {`
			`if (secure) {`
			return `${SESSION_COOKIE_NAME}=; HttpOnly; SameSite=Lax; Max-Age=0; Path=/; Secure; Domain=${fqdn}`;
			`} else {`
			return `${SESSION_COOKIE_NAME}=; HttpOnly; SameSite=Lax; Max-Age=0; Path=/; Domain=${fqdn}`;
			`}`
			`}`

api for set resource password and auth with resource password 2024-11-17 22:44:11 -05:00			`export type ResourceSessionValidationResult = {`
			`resourceSession: ResourceSession \| null;`
			`};`