fix: wip

2025-11-20 11:41:44 +10:00 · 2025-02-09 21:57:26 +11:00
parent e128e9369e
commit 5b395fc9ad
68 changed files with 400 additions and 407 deletions
--- a/packages/auth/server/index.ts
+++ b/packages/auth/server/index.ts
@ -28,9 +28,7 @@ export const auth = new Hono<HonoAuthContext>()
 * Handle errors.
 */
 auth.onError((err, c) => {
-  console.error(`-----------`);
-  console.error(`-----------`);
-  console.error(`-----------`);
+  // Todo Remove
  console.error(`${err}`);

  if (err instanceof HTTPException) {
--- a/packages/auth/server/lib/session/session-cookies.ts
+++ b/packages/auth/server/lib/session/session-cookies.ts
@ -2,6 +2,7 @@ import type { Context } from 'hono';
 import { deleteCookie, getSignedCookie, setSignedCookie } from 'hono/cookie';

 import { NEXT_PUBLIC_WEBAPP_URL } from '@documenso/lib/constants/app';
+import { useSecureCookies } from '@documenso/lib/constants/auth';
 import { appLog } from '@documenso/lib/utils/debugger';
 import { env } from '@documenso/lib/utils/env';

@ -23,6 +24,18 @@ const getAuthDomain = () => {
  return url.hostname;
 };

+/**
+ * Generic auth session cookie options.
+ */
+export const sessionCookieOptions = {
+  httpOnly: true,
+  path: '/',
+  sameSite: useSecureCookies ? 'none' : 'lax',
+  secure: useSecureCookies,
+  domain: getAuthDomain(),
+  // Todo: Max age for specific auth cookies.
+} as const;
+
 export const extractSessionCookieFromHeaders = (headers: Headers): string | null => {
  const cookieHeader = headers.get('cookie') || '';
  const cookiePairs = cookieHeader.split(';');
@ -54,12 +67,13 @@ export const getSessionCookie = async (c: Context): Promise<string | null> => {
 * @param sessionToken - The session token to set.
 */
 export const setSessionCookie = async (c: Context, sessionToken: string) => {
-  await setSignedCookie(c, sessionCookieName, sessionToken, getAuthSecret(), {
-    path: '/',
-    // sameSite: '', // whats the default? we need to change this for embed right?
-    // secure: true,
-    domain: getAuthDomain(),
-  }).catch((err) => {
+  await setSignedCookie(
+    c,
+    sessionCookieName,
+    sessionToken,
+    getAuthSecret(),
+    sessionCookieOptions,
+  ).catch((err) => {
    appLog('SetSessionCookie', `Error setting signed cookie: ${err}`);

    throw err;
@ -73,9 +87,5 @@ export const setSessionCookie = async (c: Context, sessionToken: string) => {
 * @param sessionToken - The session token to set.
 */
 export const deleteSessionCookie = (c: Context) => {
-  deleteCookie(c, sessionCookieName, {
-    path: '/',
-    secure: true,
-    domain: getAuthDomain(),
-  });
+  deleteCookie(c, sessionCookieName, sessionCookieOptions);
 };
--- a/packages/auth/server/lib/session/session.ts
+++ b/packages/auth/server/lib/session/session.ts
@ -1,6 +1,6 @@
 import { sha256 } from '@oslojs/crypto/sha2';
 import { encodeBase32LowerCaseNoPadding, encodeHexLowerCase } from '@oslojs/encoding';
-import type { Session, User } from '@prisma/client';
+import { type Session, type User, UserSecurityAuditLogType } from '@prisma/client';

 import type { RequestMetadata } from '@documenso/lib/universal/extract-request-metadata';
 import { prisma } from '@documenso/prisma';
@ -49,6 +49,15 @@ export const createSession = async (
    data: session,
  });

+  await prisma.userSecurityAuditLog.create({
+    data: {
+      userId,
+      ipAddress: metadata.ipAddress,
+      userAgent: metadata.userAgent,
+      type: UserSecurityAuditLogType.SIGN_IN,
+    },
+  });
+
  return session;
 };

@ -103,6 +112,18 @@ export const validateSessionToken = async (token: string): Promise<SessionValida
  return { session, user, isAuthenticated: true };
 };

-export const invalidateSession = async (sessionId: string): Promise<void> => {
-  await prisma.session.delete({ where: { id: sessionId } });
+export const invalidateSession = async (
+  sessionId: string,
+  metadata: RequestMetadata,
+): Promise<void> => {
+  const session = await prisma.session.delete({ where: { id: sessionId } });
+
+  await prisma.userSecurityAuditLog.create({
+    data: {
+      userId: session.userId,
+      ipAddress: metadata.ipAddress,
+      userAgent: metadata.userAgent,
+      type: UserSecurityAuditLogType.SIGN_OUT,
+    },
+  });
 };
--- a/packages/auth/server/lib/utils/authorizer.ts
+++ b/packages/auth/server/lib/utils/authorizer.ts
@ -19,4 +19,12 @@ export const onAuthorize = async (user: AuthorizeUser, c: Context<HonoAuthContex
  await createSession(sessionToken, user.userId, metadata);

  await setSessionCookie(c, sessionToken);
+
+  // Todo.
+  // Create the Stripe customer and attach it to the user if it doesn't exist.
+  // if (user.customerId === null && IS_BILLING_ENABLED()) {
+  //   await getStripeCustomerByUser(user).catch((err) => {
+  //     console.error(err);
+  //   });
+  // }
 };
--- a/packages/auth/server/routes/email-password.ts
+++ b/packages/auth/server/routes/email-password.ts
@ -5,6 +5,7 @@ import { DateTime } from 'luxon';
 import { z } from 'zod';

 import { IS_BILLING_ENABLED } from '@documenso/lib/constants/app';
+import { EMAIL_VERIFICATION_STATE } from '@documenso/lib/constants/email';
 import { AppError } from '@documenso/lib/errors/app-error';
 import { jobsClient } from '@documenso/lib/jobs/client';
 import { disableTwoFactorAuthentication } from '@documenso/lib/server-only/2fa/disable-2fa';
@ -18,10 +19,7 @@ import { forgotPassword } from '@documenso/lib/server-only/user/forgot-password'
 import { getMostRecentVerificationTokenByUserId } from '@documenso/lib/server-only/user/get-most-recent-verification-token-by-user-id';
 import { resetPassword } from '@documenso/lib/server-only/user/reset-password';
 import { updatePassword } from '@documenso/lib/server-only/user/update-password';
-import {
-  EMAIL_VERIFICATION_STATE,
-  verifyEmail,
-} from '@documenso/lib/server-only/user/verify-email';
+import { verifyEmail } from '@documenso/lib/server-only/user/verify-email';
 import { env } from '@documenso/lib/utils/env';
 import { prisma } from '@documenso/prisma';
 import { UserSecurityAuditLogType } from '@documenso/prisma/client';
--- a/packages/auth/server/routes/google.ts
+++ b/packages/auth/server/routes/google.ts
@ -10,6 +10,7 @@ import { env } from '@documenso/lib/utils/env';
 import { prisma } from '@documenso/prisma';

 import { AuthenticationErrorCode } from '../lib/errors/error-codes';
+import { sessionCookieOptions } from '../lib/session/session-cookies';
 import { onAuthorize } from '../lib/utils/authorizer';
 import type { HonoAuthContext } from '../types/context';

@ -43,28 +44,22 @@ export const googleRoute = new Hono<HonoAuthContext>()
    const { redirectPath } = c.req.valid('json');

    setCookie(c, 'google_oauth_state', state, {
-      path: '/',
-      httpOnly: true,
-      secure: env('NODE_ENV') === 'production', // Todo: Check.
-      maxAge: 60 * 10, // 10 minutes
-      sameSite: 'lax', // Todo??
+      ...sessionCookieOptions,
+      sameSite: 'lax', // Todo
+      maxAge: 60 * 10, // 10 minutes.
    });

    setCookie(c, 'google_code_verifier', codeVerifier, {
-      path: '/',
-      httpOnly: true,
-      secure: env('NODE_ENV') === 'production', // Todo: Check.
-      maxAge: 60 * 10, // 10 minutes
-      sameSite: 'lax', // Todo??
+      ...sessionCookieOptions,
+      sameSite: 'lax', // Todo
+      maxAge: 60 * 10, // 10 minutes.
    });

    if (redirectPath) {
      setCookie(c, 'google_redirect_path', `${state}:${redirectPath}`, {
-        path: '/',
-        httpOnly: true,
-        secure: env('NODE_ENV') === 'production', // Todo: Check.
-        maxAge: 60 * 10, // 10 minutes
-        sameSite: 'lax', // Todo??
+        ...sessionCookieOptions,
+        sameSite: 'lax', // Todo
+        maxAge: 60 * 10, // 10 minutes.
      });
    }

@ -81,6 +76,7 @@ export const googleRoute = new Hono<HonoAuthContext>()

    const storedState = deleteCookie(c, 'google_oauth_state');
    const storedCodeVerifier = deleteCookie(c, 'google_code_verifier');
+    const storedredirectPath = deleteCookie(c, 'google_redirect_path') ?? '';

    if (!code || !storedState || state !== storedState || !storedCodeVerifier) {
      throw new AppError(AppErrorCode.INVALID_REQUEST, {
@ -88,8 +84,6 @@ export const googleRoute = new Hono<HonoAuthContext>()
      });
    }

-    const storedredirectPath = deleteCookie(c, 'google_redirect_path') ?? '';
-
    // eslint-disable-next-line prefer-const
    let [redirectState, redirectPath] = storedredirectPath.split(':');

--- a/packages/auth/server/routes/sign-out.ts
+++ b/packages/auth/server/routes/sign-out.ts
@ -2,8 +2,11 @@ import { Hono } from 'hono';

 import { invalidateSession, validateSessionToken } from '../lib/session/session';
 import { deleteSessionCookie, getSessionCookie } from '../lib/session/session-cookies';
+import type { HonoAuthContext } from '../types/context';
+
+export const signOutRoute = new Hono<HonoAuthContext>().post('/signout', async (c) => {
+  const metadata = c.get('requestMetadata');

-export const signOutRoute = new Hono().post('/signout', async (c) => {
  const sessionId = await getSessionCookie(c);

  if (!sessionId) {
@ -16,7 +19,7 @@ export const signOutRoute = new Hono().post('/signout', async (c) => {
    return new Response('No session found', { status: 401 });
  }

-  await invalidateSession(session.id);
+  await invalidateSession(session.id, metadata);

  deleteSessionCookie(c);