fix(repository): Move backend code into subdirectory

Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>
2025-05-28 22:15:12 -04:00 · 2022-10-02 20:10:32 +02:00 · 2022-10-02 20:10:32 +02:00 · bf30cbcf48
commit bf30cbcf48
parent 86584e705f
272 changed files with 87 additions and 67 deletions
--- a/backend/src/session/session.module.ts
+++ b/backend/src/session/session.module.ts
@ -0,0 +1,17 @@
+/*
+ * SPDX-FileCopyrightText: 2022 The HedgeDoc developers (see AUTHORS file)
+ *
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+import { Module } from '@nestjs/common';
+import { TypeOrmModule } from '@nestjs/typeorm';
+
+import { Session } from '../users/session.entity';
+import { SessionService } from './session.service';
+
+@Module({
+  imports: [TypeOrmModule.forFeature([Session])],
+  exports: [SessionService],
+  providers: [SessionService],
+})
+export class SessionModule {}
--- a/backend/src/session/session.service.spec.ts
+++ b/backend/src/session/session.service.spec.ts
@ -0,0 +1,197 @@
+/*
+ * SPDX-FileCopyrightText: 2022 The HedgeDoc developers (see AUTHORS file)
+ *
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+import * as ConnectTypeormModule from 'connect-typeorm';
+import { TypeormStore } from 'connect-typeorm';
+import * as parseCookieModule from 'cookie';
+import * as cookieSignatureModule from 'cookie-signature';
+import { IncomingMessage } from 'http';
+import { Mock } from 'ts-mockery';
+import { Repository } from 'typeorm';
+
+import { AuthConfig } from '../config/auth.config';
+import { DatabaseType } from '../config/database-type.enum';
+import { DatabaseConfig } from '../config/database.config';
+import { Session } from '../users/session.entity';
+import { HEDGEDOC_SESSION } from '../utils/session';
+import { SessionService, SessionState } from './session.service';
+
+jest.mock('cookie');
+jest.mock('cookie-signature');
+
+describe('SessionService', () => {
+  let mockedTypeormStore: TypeormStore;
+  let mockedSessionRepository: Repository<Session>;
+  let databaseConfigMock: DatabaseConfig;
+  let authConfigMock: AuthConfig;
+  let typeormStoreConstructorMock: jest.SpyInstance;
+  const mockedExistingSessionId = 'mockedExistingSessionId';
+  const mockUsername = 'mockUser';
+  const mockSecret = 'mockSecret';
+  let sessionService: SessionService;
+
+  beforeEach(() => {
+    jest.resetModules();
+    jest.restoreAllMocks();
+    const mockedExistingSession = Mock.of<SessionState>({
+      user: mockUsername,
+    });
+    mockedTypeormStore = Mock.of<TypeormStore>({
+      connect: jest.fn(() => mockedTypeormStore),
+      get: jest.fn(((sessionId, callback) => {
+        if (sessionId === mockedExistingSessionId) {
+          callback(undefined, mockedExistingSession);
+        } else {
+          callback(new Error("Session doesn't exist"), undefined);
+        }
+      }) as TypeormStore['get']),
+    });
+    mockedSessionRepository = Mock.of<Repository<Session>>({});
+    databaseConfigMock = Mock.of<DatabaseConfig>({
+      type: DatabaseType.SQLITE,
+    });
+    authConfigMock = Mock.of<AuthConfig>({
+      session: {
+        secret: mockSecret,
+      },
+    });
+
+    typeormStoreConstructorMock = jest
+      .spyOn(ConnectTypeormModule, 'TypeormStore')
+      .mockReturnValue(mockedTypeormStore);
+
+    sessionService = new SessionService(
+      mockedSessionRepository,
+      databaseConfigMock,
+      authConfigMock,
+    );
+  });
+
+  it('creates a new TypeormStore on create', () => {
+    expect(typeormStoreConstructorMock).toHaveBeenCalledWith({
+      cleanupLimit: 2,
+      limitSubquery: true,
+    });
+    expect(mockedTypeormStore.connect).toHaveBeenCalledWith(
+      mockedSessionRepository,
+    );
+    expect(sessionService.getTypeormStore()).toBe(mockedTypeormStore);
+  });
+
+  it('can fetch a username for an existing session', async () => {
+    await expect(
+      sessionService.fetchUsernameForSessionId(mockedExistingSessionId),
+    ).resolves.toBe(mockUsername);
+  });
+
+  it("can't fetch a username for a non-existing session", async () => {
+    await expect(
+      sessionService.fetchUsernameForSessionId("doesn't exist"),
+    ).rejects.toThrow();
+  });
+
+  describe('extract verified session id from request', () => {
+    const validCookieHeader = 'validCookieHeader';
+    const validSessionId = 'validSessionId';
+
+    function mockParseCookieModule(sessionCookieContent: string): void {
+      jest
+        .spyOn(parseCookieModule, 'parse')
+        .mockImplementation((header: string): Record<string, string> => {
+          if (header === validCookieHeader) {
+            return {
+              [HEDGEDOC_SESSION]: sessionCookieContent,
+            };
+          } else {
+            return {};
+          }
+        });
+    }
+
+    beforeEach(() => {
+      jest.spyOn(parseCookieModule, 'parse').mockImplementation(() => {
+        throw new Error('call not expected!');
+      });
+      jest
+        .spyOn(cookieSignatureModule, 'unsign')
+        .mockImplementation((value, secret) => {
+          if (value.endsWith('.validSignature') && secret === mockSecret) {
+            return 'decryptedValue';
+          } else {
+            return false;
+          }
+        });
+    });
+
+    it('fails if no cookie header is present', () => {
+      const mockedRequest = Mock.of<IncomingMessage>({
+        headers: {},
+      });
+      expect(() =>
+        sessionService.extractVerifiedSessionIdFromRequest(mockedRequest),
+      ).toThrow('No hedgedoc-session cookie found');
+    });
+
+    it("fails if the cookie header isn't valid", () => {
+      const mockedRequest = Mock.of<IncomingMessage>({
+        headers: { cookie: 'no' },
+      });
+      mockParseCookieModule(`s:anyValidSessionId.validSignature`);
+      expect(() =>
+        sessionService.extractVerifiedSessionIdFromRequest(mockedRequest),
+      ).toThrow('No hedgedoc-session cookie found');
+    });
+
+    it("fails if the hedgedoc session cookie isn't marked as signed", () => {
+      const mockedRequest = Mock.of<IncomingMessage>({
+        headers: { cookie: validCookieHeader },
+      });
+      mockParseCookieModule('sessionId.validSignature');
+      expect(() =>
+        sessionService.extractVerifiedSessionIdFromRequest(mockedRequest),
+      ).toThrow("cookie doesn't look like a signed cookie");
+    });
+
+    it("fails if the hedgedoc session cookie doesn't contain a session id", () => {
+      const mockedRequest = Mock.of<IncomingMessage>({
+        headers: { cookie: validCookieHeader },
+      });
+      mockParseCookieModule('s:.validSignature');
+      expect(() =>
+        sessionService.extractVerifiedSessionIdFromRequest(mockedRequest),
+      ).toThrow("cookie doesn't look like a signed cookie");
+    });
+
+    it("fails if the hedgedoc session cookie doesn't contain a signature", () => {
+      const mockedRequest = Mock.of<IncomingMessage>({
+        headers: { cookie: validCookieHeader },
+      });
+      mockParseCookieModule('s:sessionId.');
+      expect(() =>
+        sessionService.extractVerifiedSessionIdFromRequest(mockedRequest),
+      ).toThrow("cookie doesn't look like a signed cookie");
+    });
+
+    it("fails if the hedgedoc session cookie isn't signed correctly", () => {
+      const mockedRequest = Mock.of<IncomingMessage>({
+        headers: { cookie: validCookieHeader },
+      });
+      mockParseCookieModule('s:sessionId.invalidSignature');
+      expect(() =>
+        sessionService.extractVerifiedSessionIdFromRequest(mockedRequest),
+      ).toThrow("Signature of hedgedoc-session cookie isn't valid.");
+    });
+
+    it('can extract a session id from a valid request', () => {
+      const mockedRequest = Mock.of<IncomingMessage>({
+        headers: { cookie: validCookieHeader },
+      });
+      mockParseCookieModule(`s:${validSessionId}.validSignature`);
+      expect(
+        sessionService.extractVerifiedSessionIdFromRequest(mockedRequest),
+      ).toBe(validSessionId);
+    });
+  });
+});
--- a/backend/src/session/session.service.ts
+++ b/backend/src/session/session.service.ts
@ -0,0 +1,96 @@
+/*
+ * SPDX-FileCopyrightText: 2022 The HedgeDoc developers (see AUTHORS file)
+ *
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+import { Optional } from '@mrdrogdrog/optional';
+import { Inject, Injectable } from '@nestjs/common';
+import { InjectRepository } from '@nestjs/typeorm';
+import { TypeormStore } from 'connect-typeorm';
+import { parse as parseCookie } from 'cookie';
+import { unsign } from 'cookie-signature';
+import { IncomingMessage } from 'http';
+import { Repository } from 'typeorm';
+
+import authConfiguration, { AuthConfig } from '../config/auth.config';
+import { DatabaseType } from '../config/database-type.enum';
+import databaseConfiguration, {
+  DatabaseConfig,
+} from '../config/database.config';
+import { Session } from '../users/session.entity';
+import { HEDGEDOC_SESSION } from '../utils/session';
+
+export interface SessionState {
+  cookie: unknown;
+  user: string;
+  authProvider: string;
+}
+
+/**
+ * Finds {@link Session sessions} by session id and verifies session cookies.
+ */
+@Injectable()
+export class SessionService {
+  private static readonly sessionCookieContentRegex = /^s:(([^.]+)\.(.+))$/;
+  private readonly typeormStore: TypeormStore;
+
+  constructor(
+    @InjectRepository(Session) private sessionRepository: Repository<Session>,
+    @Inject(databaseConfiguration.KEY)
+    private dbConfig: DatabaseConfig,
+    @Inject(authConfiguration.KEY)
+    private authConfig: AuthConfig,
+  ) {
+    this.typeormStore = new TypeormStore({
+      cleanupLimit: 2,
+      limitSubquery: dbConfig.type !== DatabaseType.MARIADB,
+    }).connect(sessionRepository);
+  }
+
+  getTypeormStore(): TypeormStore {
+    return this.typeormStore;
+  }
+
+  /**
+   * Finds the username of the user that own the given session id.
+   *
+   * @async
+   * @param sessionId The session id for which the owning user should be found
+   * @return A Promise that either resolves with the username or rejects with an error
+   */
+  fetchUsernameForSessionId(sessionId: string): Promise<string> {
+    return new Promise((resolve, reject) => {
+      this.typeormStore.get(sessionId, (error?: Error, result?: SessionState) =>
+        error || !result ? reject(error) : resolve(result.user),
+      );
+    });
+  }
+
+  /**
+   * Extracts the hedgedoc session cookie from the given {@link IncomingMessage request} and checks if the signature is correct.
+   *
+   * @param request The http request that contains a session cookie
+   * @return The extracted session id
+   * @throws Error if no session cookie was found
+   * @throws Error if the cookie content is malformed
+   * @throws Error if the cookie content isn't signed
+   */
+  extractVerifiedSessionIdFromRequest(request: IncomingMessage): string {
+    return Optional.ofNullable(request.headers.cookie)
+      .map((cookieHeader) => parseCookie(cookieHeader)[HEDGEDOC_SESSION])
+      .orThrow(() => new Error(`No ${HEDGEDOC_SESSION} cookie found`))
+      .map((cookie) => SessionService.sessionCookieContentRegex.exec(cookie))
+      .orThrow(
+        () =>
+          new Error(
+            `${HEDGEDOC_SESSION} cookie doesn't look like a signed cookie`,
+          ),
+      )
+      .guard(
+        (cookie) => unsign(cookie[1], this.authConfig.session.secret) !== false,
+        () => new Error(`Signature of ${HEDGEDOC_SESSION} cookie isn't valid.`),
+      )
+      .map((cookie) => cookie[2])
+      .get();
+  }
+}