feat(auth): implement Android refresh token handling and session management
- Added support for generating Android access tokens and managing refresh sessions in the auth endpoints. - Implemented new tests for login, logout, and refresh functionalities specific to Android clients. - Enhanced password reset logging with normalization and masking of email addresses. - Created a new diagnostics endpoint for password reset attempts, including filtering and summarizing logs. - Introduced a new utility for managing password reset logs with retention policies. - Added tests for password reset log utilities to ensure proper functionality and privacy compliance. - Updated WebAuthn configuration tests to validate origin handling for production and allowed origins.
This commit is contained in:
Torsten Schulz (local)
@@ -1,5 +1,6 @@
|
||||
import bcrypt from 'bcryptjs'
|
||||
import jwt from 'jsonwebtoken'
|
||||
import crypto from 'crypto'
|
||||
import { promises as fs } from 'fs'
|
||||
import path from 'path'
|
||||
import { encryptObject, decryptObject } from './encryption.js'
|
||||
@@ -46,6 +47,10 @@ const getDataPath = (filename) => {
|
||||
|
||||
const USERS_FILE = getDataPath('users.json')
|
||||
const SESSIONS_FILE = getDataPath('sessions.json')
|
||||
const ANDROID_ACCESS_TOKEN_TTL = '15m'
|
||||
const REFRESH_SESSION_TTL_MS = 90 * 24 * 60 * 60 * 1000
|
||||
const refreshMutationState = globalThis.__HTC_REFRESH_MUTATION_STATE__ || { tail: Promise.resolve() }
|
||||
globalThis.__HTC_REFRESH_MUTATION_STATE__ = refreshMutationState
|
||||
|
||||
// Get encryption key from environment
|
||||
function getEncryptionKey() {
|
||||
@@ -146,7 +151,7 @@ export async function readUsers() {
|
||||
try {
|
||||
users = JSON.parse(data)
|
||||
console.warn('Entschlüsselung fehlgeschlagen, versuche als unverschlüsseltes Format zu lesen')
|
||||
} catch (_parseError) {
|
||||
} catch {
|
||||
console.error('Konnte Benutzerdaten weder entschlüsseln noch als JSON lesen')
|
||||
return []
|
||||
}
|
||||
@@ -210,7 +215,7 @@ function isSessionsEncrypted(data) {
|
||||
return false
|
||||
}
|
||||
return false
|
||||
} catch (e) {
|
||||
} catch {
|
||||
return true
|
||||
}
|
||||
}
|
||||
@@ -231,7 +236,7 @@ export async function readSessions() {
|
||||
const plainData = JSON.parse(data)
|
||||
console.warn('Entschlüsselung fehlgeschlagen, versuche als unverschlüsseltes Format zu lesen')
|
||||
return plainData
|
||||
} catch (_parseError) {
|
||||
} catch {
|
||||
console.error('Konnte Sessions weder entschlüsseln noch als JSON lesen')
|
||||
return []
|
||||
}
|
||||
@@ -277,27 +282,36 @@ export async function verifyPassword(password, hash) {
|
||||
}
|
||||
|
||||
// Generate JWT token
|
||||
export function generateToken(user) {
|
||||
export function generateToken(user, { expiresIn = '7d', sessionId = null } = {}) {
|
||||
// Stelle sicher, dass Rollen migriert sind
|
||||
const migratedUser = migrateUserRoles({ ...user })
|
||||
const roles = Array.isArray(migratedUser.roles) ? migratedUser.roles : (migratedUser.role ? [migratedUser.role] : ['mitglied'])
|
||||
|
||||
const claims = {
|
||||
id: user.id,
|
||||
email: user.email,
|
||||
roles: roles
|
||||
}
|
||||
if (sessionId) {
|
||||
claims.sid = sessionId
|
||||
}
|
||||
|
||||
return jwt.sign(
|
||||
{
|
||||
id: user.id,
|
||||
email: user.email,
|
||||
roles: roles
|
||||
},
|
||||
claims,
|
||||
JWT_SECRET,
|
||||
{ expiresIn: '7d' }
|
||||
{ expiresIn }
|
||||
)
|
||||
}
|
||||
|
||||
export function generateAndroidAccessToken(user, sessionId) {
|
||||
return generateToken(user, { expiresIn: ANDROID_ACCESS_TOKEN_TTL, sessionId })
|
||||
}
|
||||
|
||||
// Verify JWT token
|
||||
export function verifyToken(token) {
|
||||
try {
|
||||
return jwt.verify(token, JWT_SECRET)
|
||||
} catch (_error) {
|
||||
} catch {
|
||||
return null
|
||||
}
|
||||
}
|
||||
@@ -343,6 +357,14 @@ export async function getUserFromToken(token) {
|
||||
const decoded = verifyToken(token)
|
||||
if (!decoded) return null
|
||||
|
||||
if (decoded.sid) {
|
||||
const sessions = await readSessions()
|
||||
const session = sessions.find(s => s.id === decoded.sid && s.userId === decoded.id)
|
||||
if (!session || session.revokedAt || new Date(session.expiresAt).getTime() <= Date.now()) {
|
||||
return null
|
||||
}
|
||||
}
|
||||
|
||||
const users = await readUsers()
|
||||
const user = users.find(u => u.id === decoded.id)
|
||||
|
||||
@@ -376,6 +398,130 @@ export async function deleteSession(token) {
|
||||
await writeSessions(filtered)
|
||||
}
|
||||
|
||||
function hashRefreshToken(token) {
|
||||
return crypto.createHash('sha256').update(String(token), 'utf8').digest('hex')
|
||||
}
|
||||
|
||||
function issueRefreshToken() {
|
||||
return crypto.randomBytes(48).toString('base64url')
|
||||
}
|
||||
|
||||
function serializeRefreshMutation(operation) {
|
||||
const result = refreshMutationState.tail.then(operation, operation)
|
||||
refreshMutationState.tail = result.then(() => undefined, () => undefined)
|
||||
return result
|
||||
}
|
||||
|
||||
export async function createRefreshSession(userId, deviceName = 'Android') {
|
||||
return serializeRefreshMutation(async () => {
|
||||
const sessions = await readSessions()
|
||||
const refreshToken = issueRefreshToken()
|
||||
const createdAt = new Date().toISOString()
|
||||
const session = {
|
||||
id: crypto.randomUUID(),
|
||||
familyId: crypto.randomUUID(),
|
||||
type: 'android_refresh',
|
||||
userId,
|
||||
deviceName: String(deviceName || 'Android').slice(0, 100),
|
||||
refreshTokenHash: hashRefreshToken(refreshToken),
|
||||
createdAt,
|
||||
lastUsedAt: createdAt,
|
||||
expiresAt: new Date(Date.now() + REFRESH_SESSION_TTL_MS).toISOString(),
|
||||
revokedAt: null
|
||||
}
|
||||
sessions.push(session)
|
||||
await writeSessions(sessions)
|
||||
return { session, refreshToken }
|
||||
})
|
||||
}
|
||||
|
||||
export async function rotateRefreshSession(refreshToken) {
|
||||
return serializeRefreshMutation(async () => {
|
||||
const sessions = await readSessions()
|
||||
const tokenHash = hashRefreshToken(refreshToken)
|
||||
const session = sessions.find(s => s.type === 'android_refresh' && s.refreshTokenHash === tokenHash)
|
||||
const now = new Date()
|
||||
const nowIso = now.toISOString()
|
||||
|
||||
if (!session) return { status: 'invalid' }
|
||||
|
||||
if (session.revokedAt) {
|
||||
if (session.rotatedAt) {
|
||||
for (const related of sessions) {
|
||||
if (related.familyId === session.familyId && !related.revokedAt) {
|
||||
related.revokedAt = nowIso
|
||||
related.revokeReason = 'refresh_token_reuse'
|
||||
}
|
||||
}
|
||||
await writeSessions(sessions)
|
||||
return { status: 'reused', session }
|
||||
}
|
||||
return { status: 'revoked', session }
|
||||
}
|
||||
|
||||
if (new Date(session.expiresAt).getTime() <= now.getTime()) {
|
||||
session.revokedAt = nowIso
|
||||
session.revokeReason = 'expired'
|
||||
await writeSessions(sessions)
|
||||
return { status: 'expired', session }
|
||||
}
|
||||
|
||||
const nextRefreshToken = issueRefreshToken()
|
||||
const nextSession = {
|
||||
...session,
|
||||
id: crypto.randomUUID(),
|
||||
refreshTokenHash: hashRefreshToken(nextRefreshToken),
|
||||
createdAt: nowIso,
|
||||
lastUsedAt: nowIso,
|
||||
expiresAt: new Date(Date.now() + REFRESH_SESSION_TTL_MS).toISOString(),
|
||||
revokedAt: null
|
||||
}
|
||||
session.lastUsedAt = nowIso
|
||||
session.revokedAt = nowIso
|
||||
session.rotatedAt = nowIso
|
||||
session.replacedBy = nextSession.id
|
||||
session.revokeReason = 'rotated'
|
||||
sessions.push(nextSession)
|
||||
await writeSessions(sessions)
|
||||
return { status: 'rotated', session: nextSession, refreshToken: nextRefreshToken }
|
||||
})
|
||||
}
|
||||
|
||||
export async function revokeRefreshSession(refreshToken, reason = 'logout') {
|
||||
return serializeRefreshMutation(async () => {
|
||||
const sessions = await readSessions()
|
||||
const tokenHash = hashRefreshToken(refreshToken)
|
||||
const session = sessions.find(s => s.type === 'android_refresh' && s.refreshTokenHash === tokenHash)
|
||||
if (!session) return false
|
||||
|
||||
const revokedAt = new Date().toISOString()
|
||||
for (const related of sessions) {
|
||||
if (related.familyId === session.familyId && !related.revokedAt) {
|
||||
related.revokedAt = revokedAt
|
||||
related.revokeReason = reason
|
||||
}
|
||||
}
|
||||
await writeSessions(sessions)
|
||||
return true
|
||||
})
|
||||
}
|
||||
|
||||
export async function revokeRefreshSessionsForUser(userId, reason) {
|
||||
return serializeRefreshMutation(async () => {
|
||||
const sessions = await readSessions()
|
||||
const revokedAt = new Date().toISOString()
|
||||
let changed = false
|
||||
for (const session of sessions) {
|
||||
if (session.type === 'android_refresh' && session.userId === userId && !session.revokedAt) {
|
||||
session.revokedAt = revokedAt
|
||||
session.revokeReason = reason
|
||||
changed = true
|
||||
}
|
||||
}
|
||||
if (changed) await writeSessions(sessions)
|
||||
})
|
||||
}
|
||||
|
||||
// Clean expired sessions
|
||||
export async function cleanExpiredSessions() {
|
||||
const sessions = await readSessions()
|
||||
@@ -383,4 +529,3 @@ export async function cleanExpiredSessions() {
|
||||
const valid = sessions.filter(s => new Date(s.expiresAt) > now)
|
||||
await writeSessions(valid)
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user