feat: add session handling

Signed-off-by: Philip Molares <philip.molares@udo.edu>
2025-05-23 11:37:02 -04:00 · 2021-08-31 13:36:13 +02:00 · 2021-08-31 13:36:13 +02:00 · 28be215aad
commit 28be215aad
parent ce68184578
5 changed files with 98 additions and 3 deletions
--- a/src/identity/session.guard.ts
+++ b/src/identity/session.guard.ts
@ -0,0 +1,49 @@
+/*
+ * SPDX-FileCopyrightText: 2021 The HedgeDoc developers (see AUTHORS file)
+ *
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+import {
+  CanActivate,
+  ExecutionContext,
+  Injectable,
+  UnauthorizedException,
+} from '@nestjs/common';
+
+import { NotInDBError } from '../errors/errors';
+import { ConsoleLoggerService } from '../logger/console-logger.service';
+import { User } from '../users/user.entity';
+import { UsersService } from '../users/users.service';
+
+@Injectable()
+export class SessionGuard implements CanActivate {
+  constructor(
+    private readonly logger: ConsoleLoggerService,
+    private userService: UsersService,
+  ) {
+    this.logger.setContext(SessionGuard.name);
+  }
+
+  async canActivate(context: ExecutionContext): Promise<boolean> {
+    const request: Request & { session?: { user: string }; user?: User } =
+      context.switchToHttp().getRequest();
+    if (!request.session) {
+      this.logger.debug('The user has no session.');
+      throw new UnauthorizedException("You're not logged in");
+    }
+    try {
+      request.user = await this.userService.getUserByUsername(
+        request.session.user,
+      );
+      return true;
+    } catch (e) {
+      if (e instanceof NotInDBError) {
+        this.logger.debug(
+          `The user '${request.session.user}' does not exist, but has a session.`,
+        );
+        throw new UnauthorizedException("You're not logged in");
+      }
+      throw e;
+    }
+  }
+}
--- a/src/main.ts
+++ b/src/main.ts
@ -10,9 +10,11 @@ import { NestExpressApplication } from '@nestjs/platform-express';

 import { AppModule } from './app.module';
 import { AppConfig } from './config/app.config';
+import { AuthConfig } from './config/auth.config';
 import { MediaConfig } from './config/media.config';
 import { ConsoleLoggerService } from './logger/console-logger.service';
 import { BackendType } from './media/backends/backend-type.enum';
+import { setupSessionMiddleware } from './utils/session';
 import { setupPrivateApiDocs, setupPublicApiDocs } from './utils/swagger';

 async function bootstrap(): Promise<void> {
@ -25,9 +27,10 @@ async function bootstrap(): Promise<void> {
  app.useLogger(logger);
  const configService = app.get(ConfigService);
  const appConfig = configService.get<AppConfig>('appConfig');
+  const authConfig = configService.get<AuthConfig>('authConfig');
  const mediaConfig = configService.get<MediaConfig>('mediaConfig');

-  if (!appConfig || !mediaConfig) {
+  if (!appConfig || !authConfig || !mediaConfig) {
    logger.error('Could not initialize config, aborting.', 'AppBootstrap');
    process.exit(1);
  }
@ -45,6 +48,8 @@ async function bootstrap(): Promise<void> {
    );
  }

+  setupSessionMiddleware(app, authConfig);
+
  app.enableCors({
    origin: appConfig.rendererOrigin,
  });
--- a/src/utils/session.ts
+++ b/src/utils/session.ts
@ -0,0 +1,39 @@
+/*
+ * SPDX-FileCopyrightText: 2021 The HedgeDoc developers (see AUTHORS file)
+ *
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+import { INestApplication } from '@nestjs/common';
+import { getRepositoryToken } from '@nestjs/typeorm';
+import { TypeormStore } from 'connect-typeorm';
+import session from 'express-session';
+import { Repository } from 'typeorm';
+
+import { AuthConfig } from '../config/auth.config';
+import { Session } from '../users/session.entity';
+
+/**
+ * Setup the session middleware via the given authConfig.
+ * @param {INestApplication} app - the nest application to configure the middleware for.
+ * @param {AuthConfig} authConfig - the authConfig to configure the middleware with.
+ */
+export function setupSessionMiddleware(
+  app: INestApplication,
+  authConfig: AuthConfig,
+): void {
+  app.use(
+    session({
+      name: 'hedgedoc-session',
+      secret: authConfig.session.secret,
+      cookie: {
+        maxAge: authConfig.session.lifetime,
+      },
+      resave: false,
+      saveUninitialized: false,
+      store: new TypeormStore({
+        cleanupLimit: 2,
+        ttl: 86400,
+      }).connect(app.get<Repository<Session>>(getRepositoryToken(Session))),
+    }),
+  );
+}