fix: wip

packages/auth/server/lib/session/session-cookies.ts

@@ -2,6 +2,7 @@ import type { Context } from 'hono';
 import { deleteCookie, getSignedCookie, setSignedCookie } from 'hono/cookie';
 
 import { NEXT_PUBLIC_WEBAPP_URL } from '@documenso/lib/constants/app';
+import { useSecureCookies } from '@documenso/lib/constants/auth';
 import { appLog } from '@documenso/lib/utils/debugger';
 import { env } from '@documenso/lib/utils/env';
 
@@ -23,6 +24,18 @@ const getAuthDomain = () => {
   return url.hostname;
 };
 
+/**
+ * Generic auth session cookie options.
+ */
+export const sessionCookieOptions = {
+  httpOnly: true,
+  path: '/',
+  sameSite: useSecureCookies ? 'none' : 'lax',
+  secure: useSecureCookies,
+  domain: getAuthDomain(),
+  // Todo: Max age for specific auth cookies.
+} as const;
+
 export const extractSessionCookieFromHeaders = (headers: Headers): string | null => {
   const cookieHeader = headers.get('cookie') || '';
   const cookiePairs = cookieHeader.split(';');
@@ -54,12 +67,13 @@ export const getSessionCookie = async (c: Context): Promise<string | null> => {
  * @param sessionToken - The session token to set.
  */
 export const setSessionCookie = async (c: Context, sessionToken: string) => {
-  await setSignedCookie(c, sessionCookieName, sessionToken, getAuthSecret(), {
-    path: '/',
-    // sameSite: '', // whats the default? we need to change this for embed right?
-    // secure: true,
-    domain: getAuthDomain(),
-  }).catch((err) => {
+  await setSignedCookie(
+    c,
+    sessionCookieName,
+    sessionToken,
+    getAuthSecret(),
+    sessionCookieOptions,
+  ).catch((err) => {
     appLog('SetSessionCookie', `Error setting signed cookie: ${err}`);
 
     throw err;
@@ -73,9 +87,5 @@ export const setSessionCookie = async (c: Context, sessionToken: string) => {
  * @param sessionToken - The session token to set.
  */
 export const deleteSessionCookie = (c: Context) => {
-  deleteCookie(c, sessionCookieName, {
-    path: '/',
-    secure: true,
-    domain: getAuthDomain(),
-  });
+  deleteCookie(c, sessionCookieName, sessionCookieOptions);
 };

packages/auth/server/lib/session/session.ts

@@ -1,6 +1,6 @@
 import { sha256 } from '@oslojs/crypto/sha2';
 import { encodeBase32LowerCaseNoPadding, encodeHexLowerCase } from '@oslojs/encoding';
-import type { Session, User } from '@prisma/client';
+import { type Session, type User, UserSecurityAuditLogType } from '@prisma/client';
 
 import type { RequestMetadata } from '@documenso/lib/universal/extract-request-metadata';
 import { prisma } from '@documenso/prisma';
@@ -49,6 +49,15 @@ export const createSession = async (
     data: session,
   });
 
+  await prisma.userSecurityAuditLog.create({
+    data: {
+      userId,
+      ipAddress: metadata.ipAddress,
+      userAgent: metadata.userAgent,
+      type: UserSecurityAuditLogType.SIGN_IN,
+    },
+  });
+
   return session;
 };
 
@@ -103,6 +112,18 @@ export const validateSessionToken = async (token: string): Promise<SessionValida
   return { session, user, isAuthenticated: true };
 };
 
-export const invalidateSession = async (sessionId: string): Promise<void> => {
-  await prisma.session.delete({ where: { id: sessionId } });
+export const invalidateSession = async (
+  sessionId: string,
+  metadata: RequestMetadata,
+): Promise<void> => {
+  const session = await prisma.session.delete({ where: { id: sessionId } });
+
+  await prisma.userSecurityAuditLog.create({
+    data: {
+      userId: session.userId,
+      ipAddress: metadata.ipAddress,
+      userAgent: metadata.userAgent,
+      type: UserSecurityAuditLogType.SIGN_OUT,
+    },
+  });
 };

packages/auth/server/lib/utils/authorizer.ts

@@ -19,4 +19,12 @@ export const onAuthorize = async (user: AuthorizeUser, c: Context<HonoAuthContex
   await createSession(sessionToken, user.userId, metadata);
 
   await setSessionCookie(c, sessionToken);
+
+  // Todo.
+  // Create the Stripe customer and attach it to the user if it doesn't exist.
+  // if (user.customerId === null && IS_BILLING_ENABLED()) {
+  //   await getStripeCustomerByUser(user).catch((err) => {
+  //     console.error(err);
+  //   });
+  // }
 };