fosrl.pangolin/server/routers/badger/exchangeSession.ts

import HttpCode from "@server/types/HttpCode";
import { NextFunction, Request, Response } from "express";
import createHttpError from "http-errors";
import { z } from "zod";
import { fromError } from "zod-validation-error";
import logger from "@server/logger";
import { resourceAccessToken, resources, sessions } from "@server/db/schema";
import db from "@server/db";
import { eq } from "drizzle-orm";
import {
    createResourceSession,
    serializeResourceSessionCookie,
    validateResourceSessionToken
} from "@server/auth/sessions/resource";
import { generateSessionToken, SESSION_COOKIE_EXPIRES } from "@server/auth/sessions/app";
import { SESSION_COOKIE_EXPIRES as RESOURCE_SESSION_COOKIE_EXPIRES } from "@server/auth/sessions/resource";
import config from "@server/lib/config";
import { response } from "@server/lib";

const exchangeSessionBodySchema = z.object({
    requestToken: z.string(),
    host: z.string(),
    requestIp: z.string().optional()
});

export type ExchangeSessionBodySchema = z.infer<
    typeof exchangeSessionBodySchema
>;

export type ExchangeSessionResponse = {
    valid: boolean;
    cookie?: string;
};

export async function exchangeSession(
    req: Request,
    res: Response,
    next: NextFunction
): Promise<any> {
    logger.debug("Exchange session: Badger sent", req.body);

    const parsedBody = exchangeSessionBodySchema.safeParse(req.body);

    if (!parsedBody.success) {
        return next(
            createHttpError(
                HttpCode.BAD_REQUEST,
                fromError(parsedBody.error).toString()
            )
        );
    }

    try {
        const { requestToken, host, requestIp } = parsedBody.data;

        const clientIp = requestIp?.split(":")[0];

        const [resource] = await db
            .select()
            .from(resources)
            .where(eq(resources.fullDomain, host))
            .limit(1);

        if (!resource) {
            return next(
                createHttpError(
                    HttpCode.NOT_FOUND,
                    `Resource with host ${host} not found`
                )
            );
        }

        const { resourceSession: requestSession } =
            await validateResourceSessionToken(
                requestToken,
                resource.resourceId
            );

        if (!requestSession) {
            if (config.getRawConfig().app.log_failed_attempts) {
                logger.info(
                    `Exchange token is invalid. Resource ID: ${resource.resourceId}. IP: ${clientIp}.`
                );
            }
            return next(
                createHttpError(HttpCode.UNAUTHORIZED, "Invalid request token")
            );
        }

        if (!requestSession.isRequestToken) {
            if (config.getRawConfig().app.log_failed_attempts) {
                logger.info(
                    `Exchange token is invalid. Resource ID: ${resource.resourceId}. IP: ${clientIp}.`
                );
            }
            return next(
                createHttpError(HttpCode.UNAUTHORIZED, "Invalid request token")
            );
        }

        await db.delete(sessions).where(eq(sessions.sessionId, requestToken));

        const token = generateSessionToken();

        let expiresAt: number | null = null;

        if (requestSession.userSessionId) {
            const [res] = await db
                .select()
                .from(sessions)
                .where(eq(sessions.sessionId, requestSession.userSessionId))
                .limit(1);
            if (res) {
                await createResourceSession({
                    token,
                    resourceId: resource.resourceId,
                    isRequestToken: false,
                    userSessionId: requestSession.userSessionId,
                    doNotExtend: false,
                    expiresAt: res.expiresAt,
                    sessionLength: SESSION_COOKIE_EXPIRES
                });
                expiresAt = res.expiresAt;
            }
        } else if (requestSession.accessTokenId) {
            const [res] = await db
                .select()
                .from(resourceAccessToken)
                .where(
                    eq(
                        resourceAccessToken.accessTokenId,
                        requestSession.accessTokenId
                    )
                )
                .limit(1);
            if (res) {
                await createResourceSession({
                    token,
                    resourceId: resource.resourceId,
                    isRequestToken: false,
                    accessTokenId: requestSession.accessTokenId,
                    doNotExtend: true,
                    expiresAt: res.expiresAt,
                    sessionLength: res.sessionLength
                });
                expiresAt = res.expiresAt;
            }
        } else {
            const expires = new Date(
                    Date.now() + SESSION_COOKIE_EXPIRES
                ).getTime();
            await createResourceSession({
                token,
                resourceId: resource.resourceId,
                isRequestToken: false,
                passwordId: requestSession.passwordId,
                pincodeId: requestSession.pincodeId,
                userSessionId: requestSession.userSessionId,
                whitelistId: requestSession.whitelistId,
                accessTokenId: requestSession.accessTokenId,
                doNotExtend: false,
                expiresAt: expires,
                sessionLength: RESOURCE_SESSION_COOKIE_EXPIRES
            });
            expiresAt = expires;
        }

        const cookieName = `${config.getRawConfig().server.session_cookie_name}`;
        const cookie = serializeResourceSessionCookie(
            cookieName,
            resource.fullDomain!,
            token,
            !resource.ssl,
            expiresAt ? new Date(expiresAt) : undefined
        );

        logger.debug(JSON.stringify("Exchange cookie: " + cookie));
        return response<ExchangeSessionResponse>(res, {
            data: { valid: true, cookie },
            success: true,
            error: false,
            message: "Session exchanged successfully",
            status: HttpCode.OK
        });
    } catch (e) {
        console.error(e);
        return next(
            createHttpError(
                HttpCode.INTERNAL_SERVER_ERROR,
                "Failed to exchange session"
            )
        );
    }
}
refactor auth to work cross domain and with http resources closes #100 2025-01-26 14:42:02 -05:00			`import HttpCode from "@server/types/HttpCode";`
			`import { NextFunction, Request, Response } from "express";`
			`import createHttpError from "http-errors";`
			`import { z } from "zod";`
			`import { fromError } from "zod-validation-error";`
			`import logger from "@server/logger";`
			`import { resourceAccessToken, resources, sessions } from "@server/db/schema";`
			`import db from "@server/db";`
			`import { eq } from "drizzle-orm";`
			`import {`
			`createResourceSession,`
			`serializeResourceSessionCookie,`
			`validateResourceSessionToken`
			`} from "@server/auth/sessions/resource";`
remove secure_cookies option from config 2025-01-30 21:53:42 -05:00			`import { generateSessionToken, SESSION_COOKIE_EXPIRES } from "@server/auth/sessions/app";`
refactor auth to work cross domain and with http resources closes #100 2025-01-26 14:42:02 -05:00			`import { SESSION_COOKIE_EXPIRES as RESOURCE_SESSION_COOKIE_EXPIRES } from "@server/auth/sessions/resource";`
			`import config from "@server/lib/config";`
			`import { response } from "@server/lib";`

			`const exchangeSessionBodySchema = z.object({`
			`requestToken: z.string(),`
add failed auth logging 2025-01-27 22:43:32 -05:00			`host: z.string(),`
			`requestIp: z.string().optional()`
refactor auth to work cross domain and with http resources closes #100 2025-01-26 14:42:02 -05:00			`});`

			`export type ExchangeSessionBodySchema = z.infer<`
			`typeof exchangeSessionBodySchema`
			`>;`

			`export type ExchangeSessionResponse = {`
			`valid: boolean;`
			`cookie?: string;`
			`};`

			`export async function exchangeSession(`
			`req: Request,`
			`res: Response,`
			`next: NextFunction`
			`): Promise<any> {`
			`logger.debug("Exchange session: Badger sent", req.body);`

			`const parsedBody = exchangeSessionBodySchema.safeParse(req.body);`

			`if (!parsedBody.success) {`
			`return next(`
			`createHttpError(`
			`HttpCode.BAD_REQUEST,`
			`fromError(parsedBody.error).toString()`
			`)`
			`);`
			`}`

			`try {`
add failed auth logging 2025-01-27 22:43:32 -05:00			`const { requestToken, host, requestIp } = parsedBody.data;`

			`const clientIp = requestIp?.split(":")[0];`
refactor auth to work cross domain and with http resources closes #100 2025-01-26 14:42:02 -05:00
			`const [resource] = await db`
			`.select()`
			`.from(resources)`
			`.where(eq(resources.fullDomain, host))`
			`.limit(1);`

			`if (!resource) {`
			`return next(`
			`createHttpError(`
			`HttpCode.NOT_FOUND,`
			`Resource with host ${host} not found`
			`)`
			`);`
			`}`

			`const { resourceSession: requestSession } =`
			`await validateResourceSessionToken(`
			`requestToken,`
			`resource.resourceId`
			`);`

			`if (!requestSession) {`
add failed auth logging 2025-01-27 22:43:32 -05:00			`if (config.getRawConfig().app.log_failed_attempts) {`
			`logger.info(`
			`Exchange token is invalid. Resource ID: ${resource.resourceId}. IP: ${clientIp}.`
			`);`
			`}`
refactor auth to work cross domain and with http resources closes #100 2025-01-26 14:42:02 -05:00			`return next(`
			`createHttpError(HttpCode.UNAUTHORIZED, "Invalid request token")`
			`);`
			`}`

			`if (!requestSession.isRequestToken) {`
add failed auth logging 2025-01-27 22:43:32 -05:00			`if (config.getRawConfig().app.log_failed_attempts) {`
			`logger.info(`
			`Exchange token is invalid. Resource ID: ${resource.resourceId}. IP: ${clientIp}.`
			`);`
			`}`
refactor auth to work cross domain and with http resources closes #100 2025-01-26 14:42:02 -05:00			`return next(`
			`createHttpError(HttpCode.UNAUTHORIZED, "Invalid request token")`
			`);`
			`}`

			`await db.delete(sessions).where(eq(sessions.sessionId, requestToken));`

			`const token = generateSessionToken();`

more visual enhancements and use expires instead of max age in cookies 2025-03-02 15:23:11 -05:00			`let expiresAt: number \| null = null;`

refactor auth to work cross domain and with http resources closes #100 2025-01-26 14:42:02 -05:00			`if (requestSession.userSessionId) {`
			`const [res] = await db`
			`.select()`
			`.from(sessions)`
			`.where(eq(sessions.sessionId, requestSession.userSessionId))`
			`.limit(1);`
			`if (res) {`
			`await createResourceSession({`
			`token,`
			`resourceId: resource.resourceId,`
			`isRequestToken: false,`
			`userSessionId: requestSession.userSessionId,`
			`doNotExtend: false,`
			`expiresAt: res.expiresAt,`
			`sessionLength: SESSION_COOKIE_EXPIRES`
			`});`
more visual enhancements and use expires instead of max age in cookies 2025-03-02 15:23:11 -05:00			`expiresAt = res.expiresAt;`
refactor auth to work cross domain and with http resources closes #100 2025-01-26 14:42:02 -05:00			`}`
			`} else if (requestSession.accessTokenId) {`
			`const [res] = await db`
			`.select()`
			`.from(resourceAccessToken)`
			`.where(`
			`eq(`
			`resourceAccessToken.accessTokenId,`
			`requestSession.accessTokenId`
			`)`
			`)`
			`.limit(1);`
			`if (res) {`
			`await createResourceSession({`
			`token,`
			`resourceId: resource.resourceId,`
			`isRequestToken: false,`
			`accessTokenId: requestSession.accessTokenId,`
			`doNotExtend: true,`
			`expiresAt: res.expiresAt,`
			`sessionLength: res.sessionLength`
			`});`
more visual enhancements and use expires instead of max age in cookies 2025-03-02 15:23:11 -05:00			`expiresAt = res.expiresAt;`
refactor auth to work cross domain and with http resources closes #100 2025-01-26 14:42:02 -05:00			`}`
			`} else {`
more visual enhancements and use expires instead of max age in cookies 2025-03-02 15:23:11 -05:00			`const expires = new Date(`
			`Date.now() + SESSION_COOKIE_EXPIRES`
			`).getTime();`
refactor auth to work cross domain and with http resources closes #100 2025-01-26 14:42:02 -05:00			`await createResourceSession({`
			`token,`
			`resourceId: resource.resourceId,`
			`isRequestToken: false,`
			`passwordId: requestSession.passwordId,`
			`pincodeId: requestSession.pincodeId,`
			`userSessionId: requestSession.userSessionId,`
			`whitelistId: requestSession.whitelistId,`
			`accessTokenId: requestSession.accessTokenId,`
			`doNotExtend: false,`
more visual enhancements and use expires instead of max age in cookies 2025-03-02 15:23:11 -05:00			`expiresAt: expires,`
refactor auth to work cross domain and with http resources closes #100 2025-01-26 14:42:02 -05:00			`sessionLength: RESOURCE_SESSION_COOKIE_EXPIRES`
			`});`
more visual enhancements and use expires instead of max age in cookies 2025-03-02 15:23:11 -05:00			`expiresAt = expires;`
refactor auth to work cross domain and with http resources closes #100 2025-01-26 14:42:02 -05:00			`}`

			const cookieName = `${config.getRawConfig().server.session_cookie_name}`;
			`const cookie = serializeResourceSessionCookie(`
			`cookieName,`
Squashed commit of the following: commit c276d2193da5dbe7af5197bdf7e2bcce6f87b0cf Author: Owen Schwartz <owen@txv.io> Date: Tue Jan 28 22:06:04 2025 -0500 Okay actually now commit 9afdc0aadc3f4fb4e811930bacff70a9e17eab9f Author: Owen Schwartz <owen@txv.io> Date: Tue Jan 28 21:58:44 2025 -0500 Migrations working finally commit a7336b3b2466fe74d650b9c253ecadbe1eff749d Merge: e7c7203 fdb1ab4 Author: Owen Schwartz <owen@txv.io> Date: Mon Jan 27 22:19:15 2025 -0500 Merge branch 'dev' into tcp-udp-traffic commit e7c7203330b1b08e570048b10ef314b55068e466 Author: Owen Schwartz <owen@txv.io> Date: Mon Jan 27 22:18:09 2025 -0500 Working on migration commit a4704dfd44b10647257c7c7054c0dae806d315bb Author: Owen Schwartz <owen@txv.io> Date: Mon Jan 27 21:40:52 2025 -0500 Add flag to allow raw resources commit d74f7a57ed11e2a6bf1a7e0c28c29fb07eb573a0 Merge: 6817788 d791b9b Author: Owen Schwartz <owen@txv.io> Date: Mon Jan 27 21:28:50 2025 -0500 Merge branch 'tcp-udp-traffic' of https://github.com/fosrl/pangolin into tcp-udp-traffic commit 68177882781b54ef30b62cca7dee8bbed7c5a2fa Author: Owen Schwartz <owen@txv.io> Date: Mon Jan 27 21:28:32 2025 -0500 Get everything working commit d791b9b47f9f6ca050d6edfd1d674438f8562d99 Author: Milo Schwartz <mschwartz10612@gmail.com> Date: Mon Jan 27 17:46:19 2025 -0500 fix orgId check in verifyAdmin commit 6ac30afd7a449a126190d311bd98d7f1048f73a4 Author: Owen Schwartz <owen@txv.io> Date: Sun Jan 26 23:19:33 2025 -0500 Trying to figure out traefik... commit 9886b42272882f8bb6baff2efdbe26cee7cac2b6 Merge: 786e67e 85e9129 Author: Owen Schwartz <owen@txv.io> Date: Sun Jan 26 21:53:32 2025 -0500 Merge branch 'tcp-udp-traffic' of https://github.com/fosrl/pangolin into tcp-udp-traffic commit 786e67eadd6df1ee8df24e77aed20c1f1fc9ca67 Author: Owen Schwartz <owen@txv.io> Date: Sun Jan 26 21:51:37 2025 -0500 Bug fixing commit 85e9129ae313b2e4a460a8bc53a0af9f9fbbafb2 Author: Milo Schwartz <mschwartz10612@gmail.com> Date: Sun Jan 26 18:35:24 2025 -0500 rethrow errors in migration and remove permanent redirect commit bd82699505fc7510c27f72cd80ea0ce815d8c5ef Author: Owen Schwartz <owen@txv.io> Date: Sun Jan 26 17:49:12 2025 -0500 Fix merge issue commit 933dbf3a02b1f19fd1f627410b2407fdf05cd9bf Author: Owen Schwartz <owen@txv.io> Date: Sun Jan 26 17:46:13 2025 -0500 Add sql to update resources and targets commit f19437bad847c8dbf57fddd2c48cd17bab20ddb0 Merge: 58980eb 9f1f291 Author: Owen Schwartz <owen@txv.io> Date: Sun Jan 26 17:19:51 2025 -0500 Merge branch 'dev' into tcp-udp-traffic commit 58980ebb64d1040b4d224c76beb38c2254f3c5d9 Merge: 1de682a d284d36 Author: Owen Schwartz <owen@txv.io> Date: Sun Jan 26 17:10:09 2025 -0500 Merge branch 'dev' into tcp-udp-traffic commit 1de682a9f6039f40e05c8901c7381a94b0d018ed Author: Owen Schwartz <owen@txv.io> Date: Sun Jan 26 17:08:29 2025 -0500 Working on migrations commit dc853d2bc02b11997be5c3c7ea789402716fb4c2 Author: Owen Schwartz <owen@txv.io> Date: Sun Jan 26 16:56:49 2025 -0500 Finish config of resource pages commit 37c681c08d7ab73d2cad41e7ef1dbe3a8852e1f2 Author: Owen Schwartz <owen@txv.io> Date: Sun Jan 26 16:07:25 2025 -0500 Finish up table commit 461c6650bbea0d7439cc042971ec13fdb52a7431 Author: Owen Schwartz <owen@txv.io> Date: Sun Jan 26 15:54:46 2025 -0500 Working toward having dual resource types commit f0894663627375e16ce6994370cb30b298efc2dc Author: Owen Schwartz <owen@txv.io> Date: Sat Jan 25 22:31:25 2025 -0500 Add qutoes commit edc535b79b94c2e65b290cd90a69fe17d27245e9 Author: Owen Schwartz <owen@txv.io> Date: Sat Jan 25 22:28:45 2025 -0500 Add readTimeout to allow long file uploads commit 194892fa14b505bd7c2b31873dc13d4b8996c0e1 Author: Owen Schwartz <owen@txv.io> Date: Sat Jan 25 20:37:34 2025 -0500 Rework traefik config generation commit ad3f896b5333e4706d610c3198f29dcd67610365 Author: Owen Schwartz <owen@txv.io> Date: Sat Jan 25 13:01:47 2025 -0500 Add proxy port to api commit ca6013b2ffda0924a696ec3141825a54a4e5297d Author: Owen Schwartz <owen@txv.io> Date: Sat Jan 25 12:58:01 2025 -0500 Add migration commit 2258d76cb3a49d3db7f05f76d8b8a9f1c248b5e4 Author: Owen Schwartz <owen@txv.io> Date: Sat Jan 25 12:55:02 2025 -0500 Add new proxy port 2025-01-28 22:26:45 -05:00			`resource.fullDomain!,`
refactor auth to work cross domain and with http resources closes #100 2025-01-26 14:42:02 -05:00			`token,`
more visual enhancements and use expires instead of max age in cookies 2025-03-02 15:23:11 -05:00			`!resource.ssl,`
			`expiresAt ? new Date(expiresAt) : undefined`
refactor auth to work cross domain and with http resources closes #100 2025-01-26 14:42:02 -05:00			`);`

			`logger.debug(JSON.stringify("Exchange cookie: " + cookie));`
			`return response<ExchangeSessionResponse>(res, {`
			`data: { valid: true, cookie },`
			`success: true,`
			`error: false,`
			`message: "Session exchanged successfully",`
			`status: HttpCode.OK`
			`});`
			`} catch (e) {`
			`console.error(e);`
			`return next(`
			`createHttpError(`
			`HttpCode.INTERNAL_SERVER_ERROR,`
			`"Failed to exchange session"`
			`)`
			`);`
			`}`
			`}`