add my-device and force login

2026-02-22 21:06:37 +00:00 · 2025-11-25 10:51:36 -05:00
parent d23f61d995
commit ac68dbd545
22 changed files with 472 additions and 107 deletions
--- a/server/routers/auth/login.ts
+++ b/server/routers/auth/login.ts
@@ -1,7 +1,9 @@
 import {
    createSession,
    generateSessionToken,
-    serializeSessionCookie
+    invalidateSession,
+    serializeSessionCookie,
+    SESSION_COOKIE_NAME
 } from "@server/auth/sessions/app";
 import { db, resources } from "@server/db";
 import { users, securityKeys } from "@server/db";
@@ -21,11 +23,11 @@ import { UserType } from "@server/types/UserTypes";
 import { logAccessAudit } from "#dynamic/lib/logAccessAudit";

 export const loginBodySchema = z.strictObject({
-        email: z.email().toLowerCase(),
-        password: z.string(),
-        code: z.string().optional(),
-        resourceGuid: z.string().optional()
-    });
+    email: z.email().toLowerCase(),
+    password: z.string(),
+    code: z.string().optional(),
+    resourceGuid: z.string().optional()
+});

 export type LoginBody = z.infer<typeof loginBodySchema>;

@@ -41,6 +43,21 @@ export async function login(
    res: Response,
    next: NextFunction
 ): Promise<any> {
+    const { forceLogin } = req.query;
+    const { session: existingSession } = await verifySession(
+        req,
+        forceLogin === "true"
+    );
+    if (existingSession) {
+        return response<null>(res, {
+            data: null,
+            success: true,
+            error: false,
+            message: "Already logged in",
+            status: HttpCode.OK
+        });
+    }
+
    const parsedBody = loginBodySchema.safeParse(req.body);

    if (!parsedBody.success) {
@@ -55,17 +72,6 @@ export async function login(
    const { email, password, code, resourceGuid } = parsedBody.data;

    try {
-        const { session: existingSession } = await verifySession(req);
-        if (existingSession) {
-            return response<null>(res, {
-                data: null,
-                success: true,
-                error: false,
-                message: "Already logged in",
-                status: HttpCode.OK
-            });
-        }
-
        let resourceId: number | null = null;
        let orgId: string | null = null;
        if (resourceGuid) {
@@ -225,6 +231,12 @@ export async function login(
            }
        }

+        // check for previous cookie value and expire it
+        const previousCookie = req.cookies[SESSION_COOKIE_NAME];
+        if (previousCookie) {
+            await invalidateSession(previousCookie);
+        }
+
        const token = generateSessionToken();
        const sess = await createSession(token, existingUser.userId);
        const isSecure = req.protocol === "https";
--- a/server/routers/auth/verifyDeviceWebAuth.ts
+++ b/server/routers/auth/verifyDeviceWebAuth.ts
@@ -9,17 +9,18 @@ import { db, deviceWebAuthCodes } from "@server/db";
 import { eq, and, gt } from "drizzle-orm";
 import { encodeHexLowerCase } from "@oslojs/encoding";
 import { sha256 } from "@oslojs/crypto/sha2";
+import { unauthorized } from "@server/auth/unauthorizedResponse";

-const bodySchema = z.object({
-    code: z.string().min(1, "Code is required"),
-    verify: z.boolean().optional().default(false) // If false, just check and return metadata
-}).strict();
+const bodySchema = z
+    .object({
+        code: z.string().min(1, "Code is required"),
+        verify: z.boolean().optional().default(false) // If false, just check and return metadata
+    })
+    .strict();

 // Helper function to hash device code before querying database
 function hashDeviceCode(code: string): string {
-    return encodeHexLowerCase(
-        sha256(new TextEncoder().encode(code))
-    );
+    return encodeHexLowerCase(sha256(new TextEncoder().encode(code)));
 }

 export type VerifyDeviceWebAuthBody = z.infer<typeof bodySchema>;
@@ -41,6 +42,24 @@ export async function verifyDeviceWebAuth(
    res: Response,
    next: NextFunction
 ): Promise<any> {
+    const { user, session } = req;
+    if (!user || !session) {
+        logger.debug("Unauthorized attempt to verify device web auth code");
+        return next(unauthorized());
+    }
+
+    if (!session.issuedAt) {
+        logger.debug("Session missing issuedAt timestamp");
+        return next(unauthorized());
+    }
+
+    // make sure sessions is not older than 5 minutes
+    const now = Date.now();
+    if (now - session.issuedAt > 3 * 60 * 1000) {
+        logger.debug("Session is too old to verify device web auth code");
+        return next(unauthorized());
+    }
+
    const parsedBody = bodySchema.safeParse(req.body);

    if (!parsedBody.success) {
@@ -135,4 +154,3 @@ export async function verifyDeviceWebAuth(
        );
    }
 }
-