switch to monorepo structure

packages/server/src/auth/session.ts

@@ -0,0 +1,135 @@
+import dayjs from "dayjs"
+import uid from "uid-safe"
+import { db } from "~/database.ts"
+import { type User, DEMO_USER } from "~/user/user.ts"
+
+interface Session {
+	id: string
+	signedId: string
+	userId: string
+	durationMs: number
+	expiresAt: number
+}
+
+const SESSION_ID_BYTE_LENGTH = 24
+const SESSION_ID_COOKIE_NAME = "session-id"
+const SESSION_DURATION_MS = 30 * 60 * 1000
+
+const findSessionQuery = db.query("SELECT user_id, expires_at_unix FROM sessions WHERE session_id = $sessionId")
+
+const deleteSessionQuery = db.query("DELETE FROM sessions WHERE session_id = $sessionId")
+const forgetAllSessionsQuery = db.query("DELETE FROM sessions WHERE user_id = $userId")
+const deleteExpiredSessionsQuery = db.query("DELETE FROM sessions WHERE expires_at_unix_ms < $time")
+
+const saveSessionQuery = db.query(
+	"INSERT INTO sessions(session_id, user_id, expires_at_unix_ms) VALUES ($sessionId, $userId, $expiresAt)",
+)
+
+const extendSessionQuery = db.query(
+	"UPDATE sessions SET expires_at_unix_ms = $newExpiryDate WHERE session_id = $session_id",
+)
+
+function startBackgroundSessionCleanup() {
+	setInterval(() => {
+		deleteExpiredSessionsQuery.run({ time: dayjs().valueOf() })
+	}, 5000)
+}
+
+async function newSessionId(): Promise<string> {
+	return await uid(SESSION_ID_BYTE_LENGTH)
+}
+
+function signSessionId(sessionId: string): string {
+	const hasher = new Bun.CryptoHasher("sha256", Bun.env.SESSION_SECRET)
+	hasher.update(sessionId)
+	return `${sessionId}.${hasher.digest("base64url")}`
+}
+
+async function createSessionForUser(user: User, cookies: Bun.CookieMap) {
+	const sessionId = await newSessionId()
+	const signedSessionId = signSessionId(sessionId)
+
+	const expiryDate = dayjs().add(30, "minutes").valueOf()
+
+	saveSessionQuery.run({
+		sessionId,
+		userId: user.id,
+		expiresAt: expiryDate,
+	})
+
+	cookies.set(SESSION_ID_COOKIE_NAME, signedSessionId, {
+		maxAge: user.id === DEMO_USER.id ? undefined : SESSION_DURATION_MS,
+		httpOnly: true,
+	})
+}
+
+async function saveSession(session: Session, cookies: Bun.CookieMap) {
+	cookies.set(SESSION_ID_COOKIE_NAME, session.signedId, {
+		maxAge: SESSION_DURATION_MS,
+		httpOnly: true,
+	})
+}
+
+function verifySession(cookie: Bun.CookieMap): Session | null {
+	const signedSessionId = cookie.get(SESSION_ID_COOKIE_NAME)
+	if (!signedSessionId) {
+		return null
+	}
+
+	const value = signedSessionId.slice(0, signedSessionId.lastIndexOf("."))
+	const expected = signSessionId(value)
+
+	const a = Buffer.from(signedSessionId)
+	const b = Buffer.from(expected)
+
+	const isEqual = a.length === b.length && crypto.timingSafeEqual(a, b)
+	if (!isEqual) {
+		return null
+	}
+
+	const row = findSessionQuery.get({ sessionId: value })
+	if (!row) {
+		return null
+	}
+	const foundSession = row as { user_id: string; expires_at_unix_ms: number }
+
+	const now = dayjs().valueOf()
+	if (now > foundSession.expires_at_unix_ms) {
+		deleteSessionQuery.run({ sessionId: value })
+		return null
+	}
+
+	return {
+		id: value,
+		signedId: signedSessionId,
+		userId: foundSession.user_id,
+		expiresAt: foundSession.expires_at_unix_ms,
+		durationMs: SESSION_DURATION_MS,
+	}
+}
+
+function extendSession(session: Session): Session {
+	const newExpiryDate = dayjs().add(30, "minutes").valueOf()
+	extendSessionQuery.run({
+		sessionId: session.id,
+		newExpiryDate,
+	})
+	return {
+		...session,
+		expiresAt: newExpiryDate,
+	}
+}
+
+function forgetAllSessions(user: User) {
+	forgetAllSessionsQuery.run({ userId: user.id })
+}
+
+export {
+	startBackgroundSessionCleanup,
+	newSessionId,
+	createSessionForUser,
+	verifySession,
+	saveSession,
+	extendSession,
+	forgetAllSessions,
+}