fix(security): Fix session revocation

2024-11-14 22:06:00 +00:00 · 2024-04-25 16:18:58 -04:00 · 2024-04-25 16:18:58 -04:00 · eb166a67a9
commit eb166a67a9
parent 51a6d1ea1d
2 changed files with 10 additions and 5 deletions
--- a/packages/backend/src/services/SessionService.js
+++ b/packages/backend/src/services/SessionService.js
@ -89,6 +89,8 @@ class SessionService extends BaseService {
    }

    remove_internal_values_ (session) {
+        if ( session === undefined ) return;
+
        const copy = {
            ...session,
        };
@ -128,12 +130,18 @@ class SessionService extends BaseService {
            if ( now - session.last_store > 5 * MINUTE ) {
                this.log.debug('storing session meta: ' + session.uuid);
                const unix_ts = Math.floor(now / 1000);
-                await this.db.write(
+                const { anyRowsAffected } = await this.db.write(
                    'UPDATE `sessions` ' +
                    'SET `meta` = ?, `last_activity` = ? ' +
                    'WHERE `uuid` = ?',
                    [JSON.stringify(session.meta), unix_ts, session.uuid],
                );
+
+                if ( ! anyRowsAffected ) {
+                    delete this.sessions[key];
+                    continue;
+                }
+
                session.last_store = now;
                if (
                    ! user_updates[session.user_id] ||
--- a/packages/backend/src/services/auth/AuthService.js
+++ b/packages/backend/src/services/auth/AuthService.js
@ -391,10 +391,7 @@ class AuthService extends BaseService {

    async revoke_session (actor, uuid) {
        delete this.sessions[uuid];
-        await this.db.write(
-            `DELETE FROM sessions WHERE uuid = ? AND user_id = ?`,
-            [uuid, actor.type.user.id]
-        );
+        this.svc_session.remove_session(uuid);
    }

    async get_user_app_token_from_origin (origin) {