enforce resource session length

2026-02-27 07:16:40 +00:00 · 2025-10-26 16:52:15 -07:00
parent 1227b3c11a
commit 44316731c0
8 changed files with 90 additions and 112 deletions
--- a/server/private/lib/checkOrgAccessPolicy.ts
+++ b/server/private/lib/checkOrgAccessPolicy.ts
@@ -12,7 +12,14 @@
 */

 import { build } from "@server/build";
-import { db, Org, orgs, sessions, User, users } from "@server/db";
+import {
+    db,
+    Org,
+    orgs,
+    ResourceSession,
+    sessions,
+    users
+} from "@server/db";
 import { getOrgTierData } from "#private/lib/billing";
 import { TierId } from "@server/lib/billing/tiers";
 import license from "#private/license/license";
@@ -23,6 +30,35 @@ import {
 } from "@server/lib/checkOrgAccessPolicy";
 import { UserType } from "@server/types/UserTypes";

+export async function enforceResourceSessionLength(
+    resourceSession: ResourceSession,
+    org: Org
+): Promise<{ valid: boolean; error?: string }> {
+    if (org.maxSessionLengthHours) {
+        const sessionIssuedAt = resourceSession.issuedAt; // may be null
+        const maxSessionLengthHours = org.maxSessionLengthHours;
+
+        if (sessionIssuedAt) {
+            const maxSessionLengthMs = maxSessionLengthHours * 60 * 60 * 1000;
+            const sessionAgeMs = Date.now() - sessionIssuedAt;
+
+            if (sessionAgeMs > maxSessionLengthMs) {
+                return {
+                    valid: false,
+                    error: `Resource session has expired due to organization policy (max session length: ${maxSessionLengthHours} hours)`
+                };
+            }
+        } else {
+            return {
+                valid: false,
+                error: `Resource session is invalid due to organization policy (max session length: ${maxSessionLengthHours} hours)`
+            };
+        }
+    }
+
+    return { valid: true };
+}
+
 export async function checkOrgAccessPolicy(
    props: CheckOrgAccessPolicyProps
 ): Promise<CheckOrgAccessPolicyResult> {
@@ -43,15 +79,6 @@ export async function checkOrgAccessPolicy(
        return { allowed: false, error: "Session ID is required" };
    }

-    if (build === "saas") {
-        const { tier } = await getOrgTierData(orgId);
-        const subscribed = tier === TierId.STANDARD;
-        // if not subscribed, don't check the policies
-        if (!subscribed) {
-            return { allowed: true };
-        }
-    }
-
    if (build === "enterprise") {
        const isUnlocked = await license.isUnlocked();
        // if not licensed, don't check the policies