diff --git a/server/apiServer.ts b/server/apiServer.ts index 7c64c14f..0b5a6305 100644 --- a/server/apiServer.ts +++ b/server/apiServer.ts @@ -21,6 +21,7 @@ import HttpCode from "./types/HttpCode"; import requestTimeoutMiddleware from "./middlewares/requestTimeout"; import { createStore } from "@server/lib/private/rateLimitStore"; import hybridRouter from "@server/routers/private/hybrid"; +import { stripDuplicateSesions } from "./middlewares/stripDuplicateSessions"; const dev = config.isDev; const externalPort = config.getRawConfig().server.external_port; @@ -73,6 +74,7 @@ export function createApiServer() { apiServer.use(csrfProtectionMiddleware); } + apiServer.use(stripDuplicateSesions); apiServer.use(cookieParser()); apiServer.use(express.json()); diff --git a/server/internalServer.ts b/server/internalServer.ts index 92da137f..0ba64eec 100644 --- a/server/internalServer.ts +++ b/server/internalServer.ts @@ -9,6 +9,7 @@ import { notFoundMiddleware } from "@server/middlewares"; import internal from "@server/routers/internal"; +import { stripDuplicateSesions } from "./middlewares/stripDuplicateSessions"; const internalPort = config.getRawConfig().server.internal_port; @@ -17,6 +18,7 @@ export function createInternalServer() { internalServer.use(helmet()); internalServer.use(cors()); + internalServer.use(stripDuplicateSesions); internalServer.use(cookieParser()); internalServer.use(express.json()); diff --git a/server/middlewares/stripDuplicateSessions.ts b/server/middlewares/stripDuplicateSessions.ts new file mode 100644 index 00000000..2558e511 --- /dev/null +++ b/server/middlewares/stripDuplicateSessions.ts @@ -0,0 +1,49 @@ +import { NextFunction, Response } from "express"; +import ErrorResponse from "@server/types/ErrorResponse"; +import { + SESSION_COOKIE_NAME, + validateSessionToken +} from "@server/auth/sessions/app"; + +export const stripDuplicateSesions = async ( + req: any, + res: Response, + next: NextFunction +) => { + const cookieHeader: string | undefined = req.headers.cookie; + if (!cookieHeader) { + return next(); + } + + const cookies = cookieHeader.split(";").map((cookie) => cookie.trim()); + const sessionCookies = cookies.filter((cookie) => + cookie.startsWith(`${SESSION_COOKIE_NAME}=`) + ); + + const validSessions: string[] = []; + if (sessionCookies.length > 1) { + for (const cookie of sessionCookies) { + const cookieValue = cookie.split("=")[1]; + const res = await validateSessionToken(cookieValue); + if (res.session && res.user) { + validSessions.push(cookieValue); + } + } + + if (validSessions.length > 0) { + const newCookieHeader = cookies.filter((cookie) => { + if (cookie.startsWith(`${SESSION_COOKIE_NAME}=`)) { + const cookieValue = cookie.split("=")[1]; + return validSessions.includes(cookieValue); + } + return true; + }); + req.headers.cookie = newCookieHeader.join("; "); + if (req.cookies) { + req.cookies[SESSION_COOKIE_NAME] = validSessions[0]; + } + } + } + + return next(); +}; diff --git a/server/nextServer.ts b/server/nextServer.ts index 4c96d04f..78169f03 100644 --- a/server/nextServer.ts +++ b/server/nextServer.ts @@ -3,6 +3,7 @@ import express from "express"; import { parse } from "url"; import logger from "@server/logger"; import config from "@server/lib/config"; +import { stripDuplicateSesions } from "./middlewares/stripDuplicateSessions"; const nextPort = config.getRawConfig().server.next_port; @@ -15,6 +16,8 @@ export async function createNextServer() { const nextServer = express(); + nextServer.use(stripDuplicateSesions); + nextServer.all("/{*splat}", (req, res) => { const parsedUrl = parse(req.url!, true); return handle(req, res, parsedUrl);