enforce resource session length

2026-02-21 20:36:37 +00:00 · 2025-10-26 16:52:15 -07:00
parent 1227b3c11a
commit 44316731c0
8 changed files with 90 additions and 112 deletions
--- a/server/private/lib/checkOrgAccessPolicy.ts
+++ b/server/private/lib/checkOrgAccessPolicy.ts
@@ -12,7 +12,14 @@
 */

 import { build } from "@server/build";
-import { db, Org, orgs, sessions, User, users } from "@server/db";
+import {
+    db,
+    Org,
+    orgs,
+    ResourceSession,
+    sessions,
+    users
+} from "@server/db";
 import { getOrgTierData } from "#private/lib/billing";
 import { TierId } from "@server/lib/billing/tiers";
 import license from "#private/license/license";
@@ -23,6 +30,35 @@ import {
 } from "@server/lib/checkOrgAccessPolicy";
 import { UserType } from "@server/types/UserTypes";

+export async function enforceResourceSessionLength(
+    resourceSession: ResourceSession,
+    org: Org
+): Promise<{ valid: boolean; error?: string }> {
+    if (org.maxSessionLengthHours) {
+        const sessionIssuedAt = resourceSession.issuedAt; // may be null
+        const maxSessionLengthHours = org.maxSessionLengthHours;
+
+        if (sessionIssuedAt) {
+            const maxSessionLengthMs = maxSessionLengthHours * 60 * 60 * 1000;
+            const sessionAgeMs = Date.now() - sessionIssuedAt;
+
+            if (sessionAgeMs > maxSessionLengthMs) {
+                return {
+                    valid: false,
+                    error: `Resource session has expired due to organization policy (max session length: ${maxSessionLengthHours} hours)`
+                };
+            }
+        } else {
+            return {
+                valid: false,
+                error: `Resource session is invalid due to organization policy (max session length: ${maxSessionLengthHours} hours)`
+            };
+        }
+    }
+
+    return { valid: true };
+}
+
 export async function checkOrgAccessPolicy(
    props: CheckOrgAccessPolicyProps
 ): Promise<CheckOrgAccessPolicyResult> {
@@ -43,15 +79,6 @@ export async function checkOrgAccessPolicy(
        return { allowed: false, error: "Session ID is required" };
    }

-    if (build === "saas") {
-        const { tier } = await getOrgTierData(orgId);
-        const subscribed = tier === TierId.STANDARD;
-        // if not subscribed, don't check the policies
-        if (!subscribed) {
-            return { allowed: true };
-        }
-    }
-
    if (build === "enterprise") {
        const isUnlocked = await license.isUnlocked();
        // if not licensed, don't check the policies
--- a/server/private/routers/hybrid.ts
+++ b/server/private/routers/hybrid.ts
@@ -73,8 +73,6 @@ import { validateResourceSessionToken } from "@server/auth/sessions/resource";
 import { checkExitNodeOrg, resolveExitNodes } from "#private/lib/exitNodes";
 import { maxmindLookup } from "@server/db/maxmind";
 import { verifyResourceAccessToken } from "@server/auth/verifyResourceAccessToken";
-import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
-import { CheckOrgAccessPolicyResult } from "@server/lib/checkOrgAccessPolicy";

 // Zod schemas for request validation
 const getResourceByDomainParamsSchema = z
@@ -1585,90 +1583,3 @@ hybridRouter.post(
        }
    }
 );
-
-const getOrgAccessPolicyParamsSchema = z
-    .object({
-        orgId: z.string().min(1),
-        userId: z.string().min(1)
-    })
-    .strict();
-
-const getOrgAccessPolicyBodySchema = z
-    .object({
-        sessionId: z.string().min(1)
-    })
-    .strict();
-
-hybridRouter.get(
-    "/org/:orgId/user/:userId/access",
-    async (req: Request, res: Response, next: NextFunction) => {
-        try {
-            const parsedParams = getOrgAccessPolicyParamsSchema.safeParse(
-                req.params
-            );
-            if (!parsedParams.success) {
-                return next(
-                    createHttpError(
-                        HttpCode.BAD_REQUEST,
-                        fromError(parsedParams.error).toString()
-                    )
-                );
-            }
-
-            const parsedBody = getOrgAccessPolicyBodySchema.safeParse(req.body);
-            if (!parsedBody.success) {
-                return next(
-                    createHttpError(
-                        HttpCode.BAD_REQUEST,
-                        fromError(parsedBody.error).toString()
-                    )
-                );
-            }
-
-            const { orgId, userId } = parsedParams.data;
-            const { sessionId } = parsedBody.data;
-            const remoteExitNode = req.remoteExitNode;
-
-            if (!remoteExitNode?.exitNodeId) {
-                return next(
-                    createHttpError(
-                        HttpCode.BAD_REQUEST,
-                        "Remote exit node not found"
-                    )
-                );
-            }
-
-            if (await checkExitNodeOrg(remoteExitNode.exitNodeId, orgId)) {
-                // If the exit node is not allowed for the org, return an error
-                return next(
-                    createHttpError(
-                        HttpCode.FORBIDDEN,
-                        "Exit node not allowed for this organization"
-                    )
-                );
-            }
-
-            const accessPolicy = await checkOrgAccessPolicy({
-                orgId,
-                userId,
-                sessionId
-            });
-
-            return response<CheckOrgAccessPolicyResult>(res, {
-                data: accessPolicy,
-                success: true,
-                error: false,
-                message: "Org access policy retrieved successfully",
-                status: HttpCode.OK
-            });
-        } catch (error) {
-            logger.error(error);
-            return next(
-                createHttpError(
-                    HttpCode.INTERNAL_SERVER_ERROR,
-                    "Failed to get org login page"
-                )
-            );
-        }
-    }
-);