fosrl.pangolin/server/routers/badger/verifySession.ts

import HttpCode from "@server/types/HttpCode";
import { NextFunction, Request, Response } from "express";
import createHttpError from "http-errors";
import { z } from "zod";
import { fromError } from "zod-validation-error";
import { response } from "@server/utils/response";
import { validateSessionToken } from "@server/auth";
import db from "@server/db";
import {
    resourcePassword,
    resourcePincode,
    resources,
} from "@server/db/schema";
import { eq } from "drizzle-orm";
import config from "@server/config";
import { validateResourceSessionToken } from "@server/auth/resource";

const verifyResourceSessionSchema = z.object({
    cookies: z.object({
        session: z.string().nullable(),
        resource_session: z.string().nullable(),
    }),
    originalRequestURL: z.string().url(),
    scheme: z.string(),
    host: z.string(),
    path: z.string(),
    method: z.string(),
    tls: z.boolean(),
});

export type VerifyResourceSessionSchema = z.infer<
    typeof verifyResourceSessionSchema
>;

export type VerifyUserResponse = {
    valid: boolean;
    redirectUrl?: string;
};

export async function verifyResourceSession(
    req: Request,
    res: Response,
    next: NextFunction
): Promise<any> {
    const parsedBody = verifyResourceSessionSchema.safeParse(req.query);

    if (!parsedBody.success) {
        return next(
            createHttpError(
                HttpCode.BAD_REQUEST,
                fromError(parsedBody.error).toString()
            )
        );
    }

    try {
        const { cookies, host, originalRequestURL } = parsedBody.data;

        const [result] = await db
            .select()
            .from(resources)
            .leftJoin(
                resourcePincode,
                eq(resourcePincode.resourceId, resources.resourceId)
            )
            .leftJoin(
                resourcePassword,
                eq(resourcePassword.resourceId, resources.resourceId)
            )
            .where(eq(resources.fullDomain, host))
            .limit(1);

        const resource = result?.resources;
        const pincode = result?.resourcePincode;
        const password = result?.resourcePassword;

        // resource doesn't exist for some reason
        if (!resource) {
            return notAllowed(res); // no resource to redirect to
        }

        // no auth is configured; auth check is disabled
        if (!resource.appSSOEnabled && !pincode && !password) {
            return allowed(res);
        }

        const redirectUrl = `${config.app.base_url}/auth/resource/${resource.resourceId}/login?redirect=${originalRequestURL}`;

        // we need to check all session to find at least one valid session
        // if we find one, we allow access
        // if we don't find any, we deny access and redirect to the login page

        // we found a session token, and app sso is enabled, so we need to check if it's a valid session
        if (cookies.session && resource.appSSOEnabled) {
            const { user, session } = await validateSessionToken(
                cookies.session
            );
            if (user && session) {
                return allowed(res);
            }
        }

        // we found a resource session token, and either pincode or password is enabled for the resource
        // so we need to check if it's a valid session
        if (cookies.resource_session && (pincode || password)) {
            const { session, user } = await validateResourceSessionToken(
                cookies.resource_session
            );

            if (session && user) {
                if (pincode && session.method === "pincode") {
                    return allowed(res);
                }

                if (password && session.method === "password") {
                    return allowed(res);
                }
            }
        }

        // a valid session was not found for an enabled auth method so we deny access
        // the user is redirected to the login page
        // the login page with render which auth methods are enabled and show the user the correct login form
        return notAllowed(res, redirectUrl);
    } catch (e) {
        return next(
            createHttpError(
                HttpCode.INTERNAL_SERVER_ERROR,
                "Failed to verify session"
            )
        );
    }
}

function notAllowed(res: Response, redirectUrl?: string) {
    return response<VerifyUserResponse>(res, {
        data: { valid: false, redirectUrl },
        success: true,
        error: false,
        message: "Access denied",
        status: HttpCode.OK,
    });
}

function allowed(res: Response) {
    return response<VerifyUserResponse>(res, {
        data: { valid: true },
        success: true,
        error: false,
        message: "Access allowed",
        status: HttpCode.OK,
    });
}
added initial schema for resource sessions and auth types 2024-11-16 22:41:43 -05:00			`import HttpCode from "@server/types/HttpCode";`
			`import { NextFunction, Request, Response } from "express";`
			`import createHttpError from "http-errors";`
			`import { z } from "zod";`
			`import { fromError } from "zod-validation-error";`
			`import { response } from "@server/utils/response";`
			`import { validateSessionToken } from "@server/auth";`
			`import db from "@server/db";`
			`import {`
			`resourcePassword,`
			`resourcePincode,`
			`resources,`
			`} from "@server/db/schema";`
			`import { eq } from "drizzle-orm";`
			`import config from "@server/config";`
			`import { validateResourceSessionToken } from "@server/auth/resource";`

			`const verifyResourceSessionSchema = z.object({`
			`cookies: z.object({`
			`session: z.string().nullable(),`
			`resource_session: z.string().nullable(),`
			`}),`
			`originalRequestURL: z.string().url(),`
			`scheme: z.string(),`
			`host: z.string(),`
			`path: z.string(),`
			`method: z.string(),`
			`tls: z.boolean(),`
			`});`

			`export type VerifyResourceSessionSchema = z.infer<`
			`typeof verifyResourceSessionSchema`
			`>;`

			`export type VerifyUserResponse = {`
			`valid: boolean;`
			`redirectUrl?: string;`
			`};`

			`export async function verifyResourceSession(`
			`req: Request,`
			`res: Response,`
			`next: NextFunction`
			`): Promise<any> {`
			`const parsedBody = verifyResourceSessionSchema.safeParse(req.query);`

			`if (!parsedBody.success) {`
			`return next(`
			`createHttpError(`
			`HttpCode.BAD_REQUEST,`
			`fromError(parsedBody.error).toString()`
			`)`
			`);`
			`}`

			`try {`
			`const { cookies, host, originalRequestURL } = parsedBody.data;`

			`const [result] = await db`
			`.select()`
			`.from(resources)`
			`.leftJoin(`
			`resourcePincode,`
			`eq(resourcePincode.resourceId, resources.resourceId)`
			`)`
			`.leftJoin(`
			`resourcePassword,`
			`eq(resourcePassword.resourceId, resources.resourceId)`
			`)`
			`.where(eq(resources.fullDomain, host))`
			`.limit(1);`

			`const resource = result?.resources;`
			`const pincode = result?.resourcePincode;`
			`const password = result?.resourcePassword;`

			`// resource doesn't exist for some reason`
			`if (!resource) {`
			`return notAllowed(res); // no resource to redirect to`
			`}`

			`// no auth is configured; auth check is disabled`
			`if (!resource.appSSOEnabled && !pincode && !password) {`
			`return allowed(res);`
			`}`

			const redirectUrl = `${config.app.base_url}/auth/resource/${resource.resourceId}/login?redirect=${originalRequestURL}`;

			`// we need to check all session to find at least one valid session`
			`// if we find one, we allow access`
			`// if we don't find any, we deny access and redirect to the login page`

			`// we found a session token, and app sso is enabled, so we need to check if it's a valid session`
			`if (cookies.session && resource.appSSOEnabled) {`
			`const { user, session } = await validateSessionToken(`
			`cookies.session`
			`);`
			`if (user && session) {`
			`return allowed(res);`
			`}`
			`}`

			`// we found a resource session token, and either pincode or password is enabled for the resource`
			`// so we need to check if it's a valid session`
			`if (cookies.resource_session && (pincode \|\| password)) {`
			`const { session, user } = await validateResourceSessionToken(`
			`cookies.resource_session`
			`);`

			`if (session && user) {`
			`if (pincode && session.method === "pincode") {`
			`return allowed(res);`
			`}`

			`if (password && session.method === "password") {`
			`return allowed(res);`
			`}`
			`}`
			`}`

			`// a valid session was not found for an enabled auth method so we deny access`
			`// the user is redirected to the login page`
			`// the login page with render which auth methods are enabled and show the user the correct login form`
			`return notAllowed(res, redirectUrl);`
			`} catch (e) {`
			`return next(`
			`createHttpError(`
			`HttpCode.INTERNAL_SERVER_ERROR,`
			`"Failed to verify session"`
			`)`
			`);`
			`}`
			`}`

			`function notAllowed(res: Response, redirectUrl?: string) {`
			`return response<VerifyUserResponse>(res, {`
			`data: { valid: false, redirectUrl },`
			`success: true,`
			`error: false,`
			`message: "Access denied",`
			`status: HttpCode.OK,`
			`});`
			`}`

			`function allowed(res: Response) {`
			`return response<VerifyUserResponse>(res, {`
			`data: { valid: true },`
			`success: true,`
			`error: false,`
			`message: "Access allowed",`
			`status: HttpCode.OK,`
			`});`
			`}`