enforce resource session length

2026-02-24 05:46:39 +00:00 · 2025-10-26 16:52:15 -07:00
parent 1227b3c11a
commit 44316731c0
8 changed files with 90 additions and 112 deletions
--- a/server/routers/badger/verifySession.ts
+++ b/server/routers/badger/verifySession.ts
@@ -16,12 +16,14 @@ import {
 } from "@server/db/queries/verifySessionQueries";
 import {
    LoginPage,
+    Org,
    Resource,
    ResourceAccessToken,
    ResourceHeaderAuth,
    ResourcePassword,
    ResourcePincode,
-    ResourceRule
+    ResourceRule,
+    resourceSessions
 } from "@server/db";
 import config from "@server/lib/config";
 import { isIpInCidr } from "@server/lib/ip";
@@ -37,7 +39,10 @@ import { getCountryCodeForIp } from "@server/lib/geoip";
 import { getOrgTierData } from "#dynamic/lib/billing";
 import { TierId } from "@server/lib/billing/tiers";
 import { verifyPassword } from "@server/auth/password";
-import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
+import {
+    checkOrgAccessPolicy,
+    enforceResourceSessionLength
+} from "#dynamic/lib/checkOrgAccessPolicy";

 // We'll see if this speeds anything up
 const cache = new NodeCache({
@@ -142,6 +147,7 @@ export async function verifyResourceSession(
                  pincode: ResourcePincode | null;
                  password: ResourcePassword | null;
                  headerAuth: ResourceHeaderAuth | null;
+                  org: Org;
              }
            | undefined = cache.get(resourceCacheKey);

@@ -380,6 +386,22 @@ export async function verifyResourceSession(
            }

            if (resourceSession) {
+                // only run this check if not SSO sesion; SSO session length is checked later
+                if (!(resourceSessions.userSessionId && sso)) {
+                    const accessPolicy = await enforceResourceSessionLength(
+                        resourceSession,
+                        resourceData.org
+                    );
+
+                    if (!accessPolicy.valid) {
+                        logger.debug(
+                            "Resource session invalid due to org policy:",
+                            accessPolicy.error
+                        );
+                        return notAllowed(res, redirectPath, resource.orgId);
+                    }
+                }
+
                if (pincode && resourceSession.pincodeId) {
                    logger.debug(
                        "Resource allowed because pincode session is valid"
@@ -422,7 +444,8 @@ export async function verifyResourceSession(
                    if (allowedUserData === undefined) {
                        allowedUserData = await isUserAllowedToAccessResource(
                            resourceSession.userSessionId,
-                            resource
+                            resource,
+                            resourceData.org
                        );

                        cache.set(userAccessCacheKey, allowedUserData);
@@ -564,7 +587,8 @@ function allowed(res: Response, userData?: BasicUserData) {

 async function isUserAllowedToAccessResource(
    userSessionId: string,
-    resource: Resource
+    resource: Resource,
+    org: Org
 ): Promise<BasicUserData | null> {
    const result = await getUserSessionWithUser(userSessionId);

@@ -592,9 +616,9 @@ async function isUserAllowedToAccessResource(
    }

    const accessPolicy = await checkOrgAccessPolicy({
-        orgId: resource.orgId,
-        userId: user.userId,
-        sessionId: session.sessionId
+        org,
+        user,
+        session
    });
    if (!accessPolicy.allowed || accessPolicy.error) {
        logger.debug(`User not allowed by org access policy because`, {