fosrl.pangolin/server/auth/resource.ts

import { encodeHexLowerCase } from "@oslojs/encoding";
import { sha256 } from "@oslojs/crypto/sha2";
import { resourceSessions, ResourceSession } from "@server/db/schema";
import db from "@server/db";
import { eq, and } from "drizzle-orm";
import config from "@server/config";

export const SESSION_COOKIE_NAME = "resource_session";
export const SESSION_COOKIE_EXPIRES = 1000 * 60 * 60 * 24 * 30;
export const SECURE_COOKIES = config.server.secure_cookies;
export const COOKIE_DOMAIN =
    "." + new URL(config.app.base_url).hostname.split(".").slice(-2).join(".");

export async function createResourceSession(opts: {
    token: string;
    resourceId: number;
    passwordId?: number;
    pincodeId?: number;
    whitelistId: number;
    usedOtp?: boolean;
}): Promise<ResourceSession> {
    if (!opts.passwordId && !opts.pincodeId) {
        throw new Error(
            "At least one of passwordId or pincodeId must be provided"
        );
    }

    const sessionId = encodeHexLowerCase(
        sha256(new TextEncoder().encode(opts.token))
    );

    const session: ResourceSession = {
        sessionId: sessionId,
        expiresAt: new Date(Date.now() + SESSION_COOKIE_EXPIRES).getTime(),
        resourceId: opts.resourceId,
        passwordId: opts.passwordId || null,
        pincodeId: opts.pincodeId || null,
        whitelistId: opts.whitelistId,
        usedOtp: opts.usedOtp || false
    };

    await db.insert(resourceSessions).values(session);

    return session;
}

export async function validateResourceSessionToken(
    token: string,
    resourceId: number
): Promise<ResourceSessionValidationResult> {
    const sessionId = encodeHexLowerCase(
        sha256(new TextEncoder().encode(token))
    );
    const result = await db
        .select()
        .from(resourceSessions)
        .where(
            and(
                eq(resourceSessions.sessionId, sessionId),
                eq(resourceSessions.resourceId, resourceId)
            )
        );

    if (result.length < 1) {
        return { resourceSession: null };
    }

    const resourceSession = result[0];

    if (Date.now() >= resourceSession.expiresAt - SESSION_COOKIE_EXPIRES / 2) {
        resourceSession.expiresAt = new Date(
            Date.now() + SESSION_COOKIE_EXPIRES
        ).getTime();
        await db
            .update(resourceSessions)
            .set({
                expiresAt: resourceSession.expiresAt
            })
            .where(eq(resourceSessions.sessionId, resourceSession.sessionId));
    }

    return { resourceSession };
}

export async function invalidateResourceSession(
    sessionId: string
): Promise<void> {
    await db
        .delete(resourceSessions)
        .where(eq(resourceSessions.sessionId, sessionId));
}

export async function invalidateAllSessions(
    resourceId: number,
    method?: {
        passwordId?: number;
        pincodeId?: number;
        whitelistId?: number;
    }
): Promise<void> {
    if (method?.passwordId) {
        await db
            .delete(resourceSessions)
            .where(
                and(
                    eq(resourceSessions.resourceId, resourceId),
                    eq(resourceSessions.passwordId, method.passwordId)
                )
            );
    }

    if (method?.pincodeId) {
        await db
            .delete(resourceSessions)
            .where(
                and(
                    eq(resourceSessions.resourceId, resourceId),
                    eq(resourceSessions.pincodeId, method.pincodeId)
                )
            );
    }

    if (method?.whitelistId) {
        await db
            .delete(resourceSessions)
            .where(
                and(
                    eq(resourceSessions.resourceId, resourceId),
                    eq(resourceSessions.whitelistId, method.whitelistId)
                )
            );

    }
    if (!method?.passwordId && !method?.pincodeId && !method?.whitelistId) {
        await db
            .delete(resourceSessions)
            .where(eq(resourceSessions.resourceId, resourceId));
    }
}

export function serializeResourceSessionCookie(
    cookieName: string,
    token: string,
    fqdn: string
): string {
    if (SECURE_COOKIES) {
        return `${cookieName}=${token}; HttpOnly; SameSite=Lax; Max-Age=${SESSION_COOKIE_EXPIRES}; Path=/; Secure; Domain=${COOKIE_DOMAIN}`;
    } else {
        return `${cookieName}=${token}; HttpOnly; SameSite=Lax; Max-Age=${SESSION_COOKIE_EXPIRES}; Path=/; Domain=${COOKIE_DOMAIN}`;
    }
}

export function createBlankResourceSessionTokenCookie(
    cookieName: string,
    fqdn: string
): string {
    if (SECURE_COOKIES) {
        return `${cookieName}=; HttpOnly; SameSite=Lax; Max-Age=0; Path=/; Secure; Domain=${COOKIE_DOMAIN}`;
    } else {
        return `${cookieName}=; HttpOnly; SameSite=Lax; Max-Age=0; Path=/; Domain=${COOKIE_DOMAIN}`;
    }
}

export type ResourceSessionValidationResult = {
    resourceSession: ResourceSession | null;
};
added initial schema for resource sessions and auth types 2024-11-16 22:41:43 -05:00			`import { encodeHexLowerCase } from "@oslojs/encoding";`
			`import { sha256 } from "@oslojs/crypto/sha2";`
api for set resource password and auth with resource password 2024-11-17 22:44:11 -05:00			`import { resourceSessions, ResourceSession } from "@server/db/schema";`
added initial schema for resource sessions and auth types 2024-11-16 22:41:43 -05:00			`import db from "@server/db";`
			`import { eq, and } from "drizzle-orm";`
set resource session as base domain cookie 2024-11-27 00:07:40 -05:00			`import config from "@server/config";`
added initial schema for resource sessions and auth types 2024-11-16 22:41:43 -05:00
			`export const SESSION_COOKIE_NAME = "resource_session";`
			`export const SESSION_COOKIE_EXPIRES = 1000 * 60 * 60 * 24 * 30;`
set resource session as base domain cookie 2024-11-27 00:07:40 -05:00			`export const SECURE_COOKIES = config.server.secure_cookies;`
			`export const COOKIE_DOMAIN =`
			`"." + new URL(config.app.base_url).hostname.split(".").slice(-2).join(".");`
added initial schema for resource sessions and auth types 2024-11-16 22:41:43 -05:00
api for set resource password and auth with resource password 2024-11-17 22:44:11 -05:00			`export async function createResourceSession(opts: {`
			`token: string;`
			`resourceId: number;`
			`passwordId?: number;`
			`pincodeId?: number;`
add otp flow to resource auth portal 2024-12-15 17:47:07 -05:00			`whitelistId: number;`
			`usedOtp?: boolean;`
api for set resource password and auth with resource password 2024-11-17 22:44:11 -05:00			`}): Promise<ResourceSession> {`
			`if (!opts.passwordId && !opts.pincodeId) {`
			`throw new Error(`
add otp flow to resource auth portal 2024-12-15 17:47:07 -05:00			`"At least one of passwordId or pincodeId must be provided"`
api for set resource password and auth with resource password 2024-11-17 22:44:11 -05:00			`);`
			`}`
added initial schema for resource sessions and auth types 2024-11-16 22:41:43 -05:00
			`const sessionId = encodeHexLowerCase(`
add otp flow to resource auth portal 2024-12-15 17:47:07 -05:00			`sha256(new TextEncoder().encode(opts.token))`
added initial schema for resource sessions and auth types 2024-11-16 22:41:43 -05:00			`);`
api for set resource password and auth with resource password 2024-11-17 22:44:11 -05:00
added initial schema for resource sessions and auth types 2024-11-16 22:41:43 -05:00			`const session: ResourceSession = {`
			`sessionId: sessionId,`
			`expiresAt: new Date(Date.now() + SESSION_COOKIE_EXPIRES).getTime(),`
api for set resource password and auth with resource password 2024-11-17 22:44:11 -05:00			`resourceId: opts.resourceId,`
			`passwordId: opts.passwordId \|\| null,`
			`pincodeId: opts.pincodeId \|\| null,`
add otp flow to resource auth portal 2024-12-15 17:47:07 -05:00			`whitelistId: opts.whitelistId,`
			`usedOtp: opts.usedOtp \|\| false`
added initial schema for resource sessions and auth types 2024-11-16 22:41:43 -05:00			`};`
api for set resource password and auth with resource password 2024-11-17 22:44:11 -05:00
added initial schema for resource sessions and auth types 2024-11-16 22:41:43 -05:00			`await db.insert(resourceSessions).values(session);`
api for set resource password and auth with resource password 2024-11-17 22:44:11 -05:00
added initial schema for resource sessions and auth types 2024-11-16 22:41:43 -05:00			`return session;`
			`}`

			`export async function validateResourceSessionToken(`
api for set resource password and auth with resource password 2024-11-17 22:44:11 -05:00			`token: string,`
add otp flow to resource auth portal 2024-12-15 17:47:07 -05:00			`resourceId: number`
added initial schema for resource sessions and auth types 2024-11-16 22:41:43 -05:00			`): Promise<ResourceSessionValidationResult> {`
			`const sessionId = encodeHexLowerCase(`
add otp flow to resource auth portal 2024-12-15 17:47:07 -05:00			`sha256(new TextEncoder().encode(token))`
added initial schema for resource sessions and auth types 2024-11-16 22:41:43 -05:00			`);`
			`const result = await db`
api for set resource password and auth with resource password 2024-11-17 22:44:11 -05:00			`.select()`
added initial schema for resource sessions and auth types 2024-11-16 22:41:43 -05:00			`.from(resourceSessions)`
api for set resource password and auth with resource password 2024-11-17 22:44:11 -05:00			`.where(`
			`and(`
			`eq(resourceSessions.sessionId, sessionId),`
add otp flow to resource auth portal 2024-12-15 17:47:07 -05:00			`eq(resourceSessions.resourceId, resourceId)`
			`)`
api for set resource password and auth with resource password 2024-11-17 22:44:11 -05:00			`);`

added initial schema for resource sessions and auth types 2024-11-16 22:41:43 -05:00			`if (result.length < 1) {`
api for set resource password and auth with resource password 2024-11-17 22:44:11 -05:00			`return { resourceSession: null };`
added initial schema for resource sessions and auth types 2024-11-16 22:41:43 -05:00			`}`
api for set resource password and auth with resource password 2024-11-17 22:44:11 -05:00
			`const resourceSession = result[0];`

added initial schema for resource sessions and auth types 2024-11-16 22:41:43 -05:00			`if (Date.now() >= resourceSession.expiresAt - SESSION_COOKIE_EXPIRES / 2) {`
			`resourceSession.expiresAt = new Date(`
add otp flow to resource auth portal 2024-12-15 17:47:07 -05:00			`Date.now() + SESSION_COOKIE_EXPIRES`
added initial schema for resource sessions and auth types 2024-11-16 22:41:43 -05:00			`).getTime();`
			`await db`
			`.update(resourceSessions)`
			`.set({`
add otp flow to resource auth portal 2024-12-15 17:47:07 -05:00			`expiresAt: resourceSession.expiresAt`
added initial schema for resource sessions and auth types 2024-11-16 22:41:43 -05:00			`})`
			`.where(eq(resourceSessions.sessionId, resourceSession.sessionId));`
			`}`
api for set resource password and auth with resource password 2024-11-17 22:44:11 -05:00
			`return { resourceSession };`
added initial schema for resource sessions and auth types 2024-11-16 22:41:43 -05:00			`}`

			`export async function invalidateResourceSession(`
add otp flow to resource auth portal 2024-12-15 17:47:07 -05:00			`sessionId: string`
added initial schema for resource sessions and auth types 2024-11-16 22:41:43 -05:00			`): Promise<void> {`
			`await db`
			`.delete(resourceSessions)`
			`.where(eq(resourceSessions.sessionId, sessionId));`
			`}`

			`export async function invalidateAllSessions(`
api for set resource password and auth with resource password 2024-11-17 22:44:11 -05:00			`resourceId: number,`
			`method?: {`
			`passwordId?: number;`
			`pincodeId?: number;`
add otp flow to resource auth portal 2024-12-15 17:47:07 -05:00			`whitelistId?: number;`
			`}`
added initial schema for resource sessions and auth types 2024-11-16 22:41:43 -05:00			`): Promise<void> {`
api for set resource password and auth with resource password 2024-11-17 22:44:11 -05:00			`if (method?.passwordId) {`
added initial schema for resource sessions and auth types 2024-11-16 22:41:43 -05:00			`await db`
			`.delete(resourceSessions)`
api for set resource password and auth with resource password 2024-11-17 22:44:11 -05:00			`.where(`
			`and(`
			`eq(resourceSessions.resourceId, resourceId),`
add otp flow to resource auth portal 2024-12-15 17:47:07 -05:00			`eq(resourceSessions.passwordId, method.passwordId)`
			`)`
api for set resource password and auth with resource password 2024-11-17 22:44:11 -05:00			`);`
add otp flow to resource auth portal 2024-12-15 17:47:07 -05:00			`}`

			`if (method?.pincodeId) {`
added initial schema for resource sessions and auth types 2024-11-16 22:41:43 -05:00			`await db`
			`.delete(resourceSessions)`
			`.where(`
			`and(`
api for set resource password and auth with resource password 2024-11-17 22:44:11 -05:00			`eq(resourceSessions.resourceId, resourceId),`
add otp flow to resource auth portal 2024-12-15 17:47:07 -05:00			`eq(resourceSessions.pincodeId, method.pincodeId)`
			`)`
added initial schema for resource sessions and auth types 2024-11-16 22:41:43 -05:00			`);`
add otp flow to resource auth portal 2024-12-15 17:47:07 -05:00			`}`

			`if (method?.whitelistId) {`
			`await db`
			`.delete(resourceSessions)`
			`.where(`
			`and(`
			`eq(resourceSessions.resourceId, resourceId),`
			`eq(resourceSessions.whitelistId, method.whitelistId)`
			`)`
			`);`

			`}`
			`if (!method?.passwordId && !method?.pincodeId && !method?.whitelistId) {`
api for set resource password and auth with resource password 2024-11-17 22:44:11 -05:00			`await db`
			`.delete(resourceSessions)`
			`.where(eq(resourceSessions.resourceId, resourceId));`
added initial schema for resource sessions and auth types 2024-11-16 22:41:43 -05:00			`}`
			`}`

api for set resource password and auth with resource password 2024-11-17 22:44:11 -05:00			`export function serializeResourceSessionCookie(`
set resource session as base domain cookie 2024-11-27 00:07:40 -05:00			`cookieName: string,`
added initial schema for resource sessions and auth types 2024-11-16 22:41:43 -05:00			`token: string,`
add otp flow to resource auth portal 2024-12-15 17:47:07 -05:00			`fqdn: string`
added initial schema for resource sessions and auth types 2024-11-16 22:41:43 -05:00			`): string {`
set resource session as base domain cookie 2024-11-27 00:07:40 -05:00			`if (SECURE_COOKIES) {`
			return `${cookieName}=${token}; HttpOnly; SameSite=Lax; Max-Age=${SESSION_COOKIE_EXPIRES}; Path=/; Secure; Domain=${COOKIE_DOMAIN}`;
added initial schema for resource sessions and auth types 2024-11-16 22:41:43 -05:00			`} else {`
set resource session as base domain cookie 2024-11-27 00:07:40 -05:00			return `${cookieName}=${token}; HttpOnly; SameSite=Lax; Max-Age=${SESSION_COOKIE_EXPIRES}; Path=/; Domain=${COOKIE_DOMAIN}`;
added initial schema for resource sessions and auth types 2024-11-16 22:41:43 -05:00			`}`
			`}`

api for set resource password and auth with resource password 2024-11-17 22:44:11 -05:00			`export function createBlankResourceSessionTokenCookie(`
set resource session as base domain cookie 2024-11-27 00:07:40 -05:00			`cookieName: string,`
add otp flow to resource auth portal 2024-12-15 17:47:07 -05:00			`fqdn: string`
added initial schema for resource sessions and auth types 2024-11-16 22:41:43 -05:00			`): string {`
set resource session as base domain cookie 2024-11-27 00:07:40 -05:00			`if (SECURE_COOKIES) {`
			return `${cookieName}=; HttpOnly; SameSite=Lax; Max-Age=0; Path=/; Secure; Domain=${COOKIE_DOMAIN}`;
added initial schema for resource sessions and auth types 2024-11-16 22:41:43 -05:00			`} else {`
set resource session as base domain cookie 2024-11-27 00:07:40 -05:00			return `${cookieName}=; HttpOnly; SameSite=Lax; Max-Age=0; Path=/; Domain=${COOKIE_DOMAIN}`;
added initial schema for resource sessions and auth types 2024-11-16 22:41:43 -05:00			`}`
			`}`

api for set resource password and auth with resource password 2024-11-17 22:44:11 -05:00			`export type ResourceSessionValidationResult = {`
			`resourceSession: ResourceSession \| null;`
			`};`