fix(security): Fix session revocation

HeyPuter · Apr 25, 2024 · eb166a6 · eb166a6
1 parent 51a6d1e
commit eb166a6
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 5 deletions.
diff --git a/packages/backend/src/services/SessionService.js b/packages/backend/src/services/SessionService.js
@@ -89,6 +89,8 @@ class SessionService extends BaseService {
     }
 
     remove_internal_values_ (session) {
+        if ( session === undefined ) return;
+
         const copy = {
             ...session,
         };
@@ -128,12 +130,18 @@ class SessionService extends BaseService {
             if ( now - session.last_store > 5 * MINUTE ) {
                 this.log.debug('storing session meta: ' + session.uuid);
                 const unix_ts = Math.floor(now / 1000);
-                await this.db.write(
+                const { anyRowsAffected } = await this.db.write(
                     'UPDATE `sessions` ' +
                     'SET `meta` = ?, `last_activity` = ? ' +
                     'WHERE `uuid` = ?',
                     [JSON.stringify(session.meta), unix_ts, session.uuid],
                 );
+
+                if ( ! anyRowsAffected ) {
+                    delete this.sessions[key];
+                    continue;
+                }
+
                 session.last_store = now;
                 if (
                     ! user_updates[session.user_id] ||

diff --git a/packages/backend/src/services/auth/AuthService.js b/packages/backend/src/services/auth/AuthService.js
@@ -391,10 +391,7 @@ class AuthService extends BaseService {
 
     async revoke_session (actor, uuid) {
         delete this.sessions[uuid];
-        await this.db.write(
-            `DELETE FROM sessions WHERE uuid = ? AND user_id = ?`,
-            [uuid, actor.type.user.id]
-        );
+        this.svc_session.remove_session(uuid);
     }
 
     async get_user_app_token_from_origin (origin) {