set resource session as base domain cookie

server/auth/resource.ts

@@ -3,9 +3,13 @@ import { sha256 } from "@oslojs/crypto/sha2";
 import { resourceSessions, ResourceSession } from "@server/db/schema";
 import db from "@server/db";
 import { eq, and } from "drizzle-orm";
+import config from "@server/config";
 
 export const SESSION_COOKIE_NAME = "resource_session";
 export const SESSION_COOKIE_EXPIRES = 1000 * 60 * 60 * 24 * 30;
+export const SECURE_COOKIES = config.server.secure_cookies;
+export const COOKIE_DOMAIN =
+    "." + new URL(config.app.base_url).hostname.split(".").slice(-2).join(".");
 
 export async function createResourceSession(opts: {
     token: string;
@@ -115,25 +119,25 @@ export async function invalidateAllSessions(
 }
 
 export function serializeResourceSessionCookie(
+    cookieName: string,
     token: string,
     fqdn: string,
-    secure: boolean,
 ): string {
-    if (secure) {
-        return `${SESSION_COOKIE_NAME}=${token}; HttpOnly; SameSite=Lax; Max-Age=${SESSION_COOKIE_EXPIRES}; Path=/; Secure; Domain=.localhost`;
+    if (SECURE_COOKIES) {
+        return `${cookieName}=${token}; HttpOnly; SameSite=Lax; Max-Age=${SESSION_COOKIE_EXPIRES}; Path=/; Secure; Domain=${COOKIE_DOMAIN}`;
     } else {
-        return `${SESSION_COOKIE_NAME}=${token}; HttpOnly; SameSite=Lax; Max-Age=${SESSION_COOKIE_EXPIRES}; Path=/; Domain=.localhost`;
+        return `${cookieName}=${token}; HttpOnly; SameSite=Lax; Max-Age=${SESSION_COOKIE_EXPIRES}; Path=/; Domain=${COOKIE_DOMAIN}`;
     }
 }
 
 export function createBlankResourceSessionTokenCookie(
+    cookieName: string,
     fqdn: string,
-    secure: boolean,
 ): string {
-    if (secure) {
-        return `${SESSION_COOKIE_NAME}=; HttpOnly; SameSite=Lax; Max-Age=0; Path=/; Secure; Domain=${fqdn}`;
+    if (SECURE_COOKIES) {
+        return `${cookieName}=; HttpOnly; SameSite=Lax; Max-Age=0; Path=/; Secure; Domain=${COOKIE_DOMAIN}`;
     } else {
-        return `${SESSION_COOKIE_NAME}=; HttpOnly; SameSite=Lax; Max-Age=0; Path=/; Domain=${fqdn}`;
+        return `${cookieName}=; HttpOnly; SameSite=Lax; Max-Age=0; Path=/; Domain=${COOKIE_DOMAIN}`;
     }
 }
 

server/config.ts

@@ -128,11 +128,15 @@ if (!parsedConfig.success) {
 
 process.env.SERVER_EXTERNAL_PORT =
     parsedConfig.data.server.external_port.toString();
+process.env.SERVER_INTERNAL_PORT =
+    parsedConfig.data.server.internal_port.toString();
 process.env.FLAGS_EMAIL_VERIFICATION_REQUIRED = parsedConfig.data.flags
     ?.require_email_verification
     ? "true"
     : "false";
 process.env.SESSION_COOKIE_NAME = parsedConfig.data.server.session_cookie_name;
+process.env.RESOURCE_SESSION_COOKIE_NAME =
+    parsedConfig.data.badger.resource_session_cookie_name;
 process.env.RESOURCE_SESSION_QUERY_PARAM_NAME =
     parsedConfig.data.badger.session_query_parameter;
 

server/routers/auth/checkResourceSession.ts

@@ -0,0 +1,65 @@
+import { Request, Response, NextFunction } from "express";
+import createHttpError from "http-errors";
+import { z } from "zod";
+import { fromError } from "zod-validation-error";
+import HttpCode from "@server/types/HttpCode";
+import { response } from "@server/utils";
+import { validateSessionToken } from "@server/auth";
+import { validateResourceSessionToken } from "@server/auth/resource";
+
+export const params = z.object({
+    token: z.string(),
+    resourceId: z.string().transform(Number).pipe(z.number().int().positive()),
+});
+
+export type CheckResourceSessionParams = z.infer<typeof params>;
+
+export type CheckResourceSessionResponse = {
+    valid: boolean;
+};
+
+export async function checkResourceSession(
+    req: Request,
+    res: Response,
+    next: NextFunction,
+): Promise<any> {
+    const parsedParams = params.safeParse(req.params);
+
+    if (!parsedParams.success) {
+        return next(
+            createHttpError(
+                HttpCode.BAD_REQUEST,
+                fromError(parsedParams.error).toString(),
+            ),
+        );
+    }
+
+    const { token, resourceId } = parsedParams.data;
+
+    try {
+        const { resourceSession } = await validateResourceSessionToken(
+            token,
+            resourceId,
+        );
+
+        let valid = false;
+        if (resourceSession) {
+            valid = true;
+        }
+
+        return response<CheckResourceSessionResponse>(res, {
+            data: { valid },
+            success: true,
+            error: false,
+            message: "Checked validity",
+            status: HttpCode.OK,
+        });
+    } catch (e) {
+        return next(
+            createHttpError(
+                HttpCode.INTERNAL_SERVER_ERROR,
+                "Failed to reset password",
+            ),
+        );
+    }
+}

server/routers/auth/index.ts

@@ -9,3 +9,4 @@ export * from "./requestEmailVerificationCode";
 export * from "./changePassword";
 export * from "./requestPasswordReset";
 export * from "./resetPassword";
+export * from "./checkResourceSession";

server/routers/badger/verifySession.ts

@@ -19,10 +19,7 @@ import { Resource, roleResources, userResources } from "@server/db/schema";
 import logger from "@server/logger";
 
 const verifyResourceSessionSchema = z.object({
-    sessions: z.object({
-        session: z.string().nullable(),
-        resource_session: z.string().nullable(),
-    }),
+    sessions: z.record(z.string()).optional(),
     originalRequestURL: z.string().url(),
     scheme: z.string(),
     host: z.string(),
@@ -98,10 +95,15 @@ export async function verifyResourceSession(
 
         const redirectUrl = `${config.app.base_url}/auth/resource/${encodeURIComponent(resource.resourceId)}?redirect=${encodeURIComponent(originalRequestURL)}`;
 
-        if (sso && sessions.session) {
-            const { session, user } = await validateSessionToken(
-                sessions.session,
-            );
+        if (!sessions) {
+            return notAllowed(res);
+        }
+
+        const sessionToken = sessions[config.server.session_cookie_name];
+
+        // check for unified login
+        if (sso && sessionToken) {
+            const { session, user } = await validateSessionToken(sessionToken);
             if (session && user) {
                 const isAllowed = await isUserAllowedToAccessResource(
                     user.userId,
@@ -117,11 +119,17 @@ export async function verifyResourceSession(
             }
         }
 
-        if (password && sessions.resource_session) {
+        const resourceSessionToken =
+            sessions[
+                `${config.badger.resource_session_cookie_name}_${resource.resourceId}`
+            ];
+
+        if ((pincode || password) && resourceSessionToken) {
             const { resourceSession } = await validateResourceSessionToken(
-                sessions.resource_session,
+                resourceSessionToken,
                 resource.resourceId,
             );
+
             if (resourceSession) {
                 if (
                     pincode &&

server/routers/internal.ts

@@ -2,6 +2,7 @@ import { Router } from "express";
 import * as gerbil from "@server/routers/gerbil";
 import * as badger from "@server/routers/badger";
 import * as traefik from "@server/routers/traefik";
+import * as auth from "@server/routers/auth";
 import HttpCode from "@server/types/HttpCode";
 
 // Root routes
@@ -12,6 +13,10 @@ internalRouter.get("/", (_, res) => {
 });
 
 internalRouter.get("/traefik-config", traefik.traefikConfigProvider);
+internalRouter.get(
+    "/resource-session/:resourceId/:token",
+    auth.checkResourceSession,
+);
 
 // Gerbil routes
 const gerbilRouter = Router();

server/routers/resource/authWithPassword.ts

@@ -14,6 +14,7 @@ import {
     serializeResourceSessionCookie,
 } from "@server/auth/resource";
 import logger from "@server/logger";
+import config from "@server/config";
 
 export const authWithPasswordBodySchema = z.object({
     password: z.string(),
@@ -131,15 +132,15 @@ export async function authWithPassword(
             token,
             passwordId: definedPassword.passwordId,
         });
-        // const secureCookie = resource.ssl;
-        // const cookie = serializeResourceSessionCookie(
-        //     token,
-        //     resource.fullDomain,
-        //     secureCookie,
-        // );
-        // res.appendHeader("Set-Cookie", cookie);
+        const cookieName = `${config.badger.resource_session_cookie_name}_${resource.resourceId}`;
+        const cookie = serializeResourceSessionCookie(
+            cookieName,
+            token,
+            resource.fullDomain,
+        );
+        res.appendHeader("Set-Cookie", cookie);
 
-        // logger.debug(cookie); // remove after testing
+        logger.debug(cookie); // remove after testing
 
         return response<AuthWithPasswordResponse>(res, {
             data: {

server/routers/resource/authWithPincode.ts

@@ -14,6 +14,7 @@ import {
     serializeResourceSessionCookie,
 } from "@server/auth/resource";
 import logger from "@server/logger";
+import config from "@server/config";
 
 export const authWithPincodeBodySchema = z.object({
     pincode: z.string(),
@@ -127,15 +128,15 @@ export async function authWithPincode(
             token,
             pincodeId: definedPincode.pincodeId,
         });
-        // const secureCookie = resource.ssl;
-        // const cookie = serializeResourceSessionCookie(
-        //     token,
-        //     resource.fullDomain,
-        //     secureCookie,
-        // );
-        // res.appendHeader("Set-Cookie", cookie);
+        const cookieName = `${config.badger.resource_session_cookie_name}_${resource.resourceId}`;
+        const cookie = serializeResourceSessionCookie(
+            cookieName,
+            token,
+            resource.fullDomain,
+        );
+        res.appendHeader("Set-Cookie", cookie);
 
-        // logger.debug(cookie); // remove after testing
+        logger.debug(cookie); // remove after testing
 
         return response<AuthWithPincodeResponse>(res, {
             data: {