fix(GRO-2234): bounded sliding expiration for SSO portal sessions (#183)
This commit was merged in pull request #183.
This commit is contained in:
@@ -8,6 +8,32 @@ export interface PortalEnv {
|
||||
};
|
||||
}
|
||||
|
||||
/**
|
||||
* Idle lifetime of an SSO-bridge portal impersonation session. Each authenticated
|
||||
* portal request slides `expiresAt` forward to `now + IDLE_TTL`, so an actively-used
|
||||
* session (e.g. a customer working through the multi-step Book New wizard) never
|
||||
* lapses mid-flow. Matches the staff-console impersonation idle window
|
||||
* (SESSION_TIMEOUT_MINUTES in routes/impersonation.ts). (GRO-2234)
|
||||
*/
|
||||
export const PORTAL_SESSION_IDLE_TTL_MS = 30 * 60 * 1000;
|
||||
|
||||
/**
|
||||
* Absolute cap on a single SSO-bridge portal session's lifetime, measured from
|
||||
* `startedAt`. Sliding can never extend a session beyond this bound, keeping the
|
||||
* impersonation model bounded regardless of how long a customer keeps the tab
|
||||
* active. Deliberately tighter than the previous static 24h mint. (GRO-2234)
|
||||
*/
|
||||
export const PORTAL_SESSION_MAX_LIFETIME_MS = 8 * 60 * 60 * 1000;
|
||||
|
||||
/**
|
||||
* Minimum extension before we issue a sliding-expiration write. Avoids a DB write
|
||||
* on every rapid successive request — at most one slide per minute per session.
|
||||
*/
|
||||
const PORTAL_SESSION_SLIDE_THRESHOLD_MS = 60 * 1000;
|
||||
|
||||
/** Reason marker for sessions minted by the Better Auth -> portal bridge. */
|
||||
const SSO_BRIDGE_REASON = "sso-bridge";
|
||||
|
||||
/**
|
||||
* Validates the X-Impersonation-Session-Id header against the impersonationSessions table.
|
||||
* Must be applied to all portal routes.
|
||||
@@ -16,6 +42,12 @@ export interface PortalEnv {
|
||||
* id = sessionId AND status = 'active', and checks session.expiresAt > new Date().
|
||||
* Returns 401 if session is invalid/missing/expired.
|
||||
* On success, sets c.set("portalClientId", session.clientId) and c.set("portalSessionId", session.id).
|
||||
*
|
||||
* Sliding expiration (GRO-2234): for SSO-bridge sessions, each successful request
|
||||
* extends `expiresAt` to `now + PORTAL_SESSION_IDLE_TTL_MS`, bounded by
|
||||
* `startedAt + PORTAL_SESSION_MAX_LIFETIME_MS`. Staff-initiated impersonation
|
||||
* sessions (any other `reason`) are left untouched, preserving their existing
|
||||
* console-enforced timeout behavior.
|
||||
*/
|
||||
export const validatePortalSession: MiddlewareHandler<PortalEnv> = async (c, next) => {
|
||||
const sessionId = c.req.header("X-Impersonation-Session-Id");
|
||||
@@ -24,16 +56,29 @@ export const validatePortalSession: MiddlewareHandler<PortalEnv> = async (c, nex
|
||||
}
|
||||
|
||||
const db = getDb();
|
||||
const now = new Date();
|
||||
const [session] = await db
|
||||
.select()
|
||||
.from(impersonationSessions)
|
||||
.where(and(eq(impersonationSessions.id, sessionId), eq(impersonationSessions.status, "active")))
|
||||
.limit(1);
|
||||
|
||||
if (!session || session.expiresAt <= new Date()) {
|
||||
if (!session || session.expiresAt <= now) {
|
||||
return c.json({ error: "Unauthorized" }, 401);
|
||||
}
|
||||
|
||||
// Sliding expiration for SSO-bridge portal sessions only (GRO-2234).
|
||||
if (session.reason === SSO_BRIDGE_REASON) {
|
||||
const maxExpiry = session.startedAt.getTime() + PORTAL_SESSION_MAX_LIFETIME_MS;
|
||||
const slidExpiry = Math.min(now.getTime() + PORTAL_SESSION_IDLE_TTL_MS, maxExpiry);
|
||||
if (slidExpiry - session.expiresAt.getTime() >= PORTAL_SESSION_SLIDE_THRESHOLD_MS) {
|
||||
await db
|
||||
.update(impersonationSessions)
|
||||
.set({ expiresAt: new Date(slidExpiry) })
|
||||
.where(eq(impersonationSessions.id, session.id));
|
||||
}
|
||||
}
|
||||
|
||||
c.set("portalClientId", session.clientId);
|
||||
c.set("portalSessionId", session.id);
|
||||
await next();
|
||||
|
||||
Reference in New Issue
Block a user