sinvo/docmost
1
0
Fork 0
mirror of https://github.com/docmost/docmost.git synced 2026-05-20 08:34:04 +08:00
Code Issues Packages Projects Releases Wiki Activity

feat: user session management (#2056)

Browse Source 
* user session management

* WIP

* cleanup

* license

* cleanup

* don't cache index

* rename current device property

* fix
This commit is contained in:
Philip Okugbe
2026-03-26 20:00:04 +00:00
committed by GitHub
parent 4e8f533b91
commit 803f1f0b81
32 changed files with 928 additions and 49 deletions
Download Patch File Download Diff File Expand all files Collapse all files
apps/server/src/core/auth/auth.controller.ts
+23 -2
View File
@@ -5,12 +5,14 @@ import {
HttpStatus,
Inject,
Post,
Req,
Res,
UseGuards,
Logger,
} from '@nestjs/common';
import { LoginDto } from './dto/login.dto';
import { AuthService } from './services/auth.service';
import { SessionService } from '../session/session.service';
import { SetupGuard } from './guards/setup.guard';
import { EnvironmentService } from '../../integrations/environment/environment.service';
import { CreateAdminUserDto } from './dto/create-admin-user.dto';
@@ -22,7 +24,7 @@ import { JwtAuthGuard } from '../../common/guards/jwt-auth.guard';
import { ForgotPasswordDto } from './dto/forgot-password.dto';
import { PasswordResetDto } from './dto/password-reset.dto';
import { VerifyUserTokenDto } from './dto/verify-user-token.dto';
import { FastifyReply } from 'fastify';
import { FastifyReply, FastifyRequest } from 'fastify';
import { validateSsoEnforcement } from './auth.util';
import { ModuleRef } from '@nestjs/core';
import { AuditEvent, AuditResource } from '../../common/events/audit-events';
@@ -37,6 +39,7 @@ export class AuthController {
constructor(
private authService: AuthService,
private sessionService: SessionService,
private environmentService: EnvironmentService,
private moduleRef: ModuleRef,
@Inject(AUDIT_SERVICE) private readonly auditService: IAuditService,
@@ -115,8 +118,15 @@ export class AuthController {
@Body() dto: ChangePasswordDto,
@AuthUser() user: User,
@AuthWorkspace() workspace: Workspace,
@Req() req: FastifyRequest,
) {
return this.authService.changePassword(dto, user.id, workspace.id);
const currentSessionId = (req.raw as any).sessionId;
return this.authService.changePassword(
dto,
user.id,
workspace.id,
currentSessionId,
);
}
@HttpCode(HttpStatus.OK)
@@ -178,8 +188,18 @@ export class AuthController {
@Post('logout')
async logout(
@AuthUser() user: User,
@Req() req: FastifyRequest,
@Res({ passthrough: true }) res: FastifyReply,
) {
const sessionId = (req.raw as any).sessionId;
if (sessionId) {
await this.sessionService.revokeSession(
sessionId,
user.id,
user.workspaceId,
);
}
res.clearCookie('authToken');
this.auditService.log({
@@ -192,6 +212,7 @@ export class AuthController {
setAuthCookie(res: FastifyReply, token: string) {
res.setCookie('authToken', token, {
httpOnly: true,
sameSite: 'lax',
path: '/',
expires: this.environmentService.getCookieExpiresIn(),
secure: this.environmentService.isHttps(),
apps/server/src/core/auth/dto/jwt-payload.ts
+1
View File
@@ -11,6 +11,7 @@ export type JwtPayload = {
email: string;
workspaceId: string;
type: 'access';
sessionId?: string;
};
export type JwtCollabPayload = {
apps/server/src/core/auth/services/auth.service.ts
+21 -4
View File
@@ -8,6 +8,8 @@ import {
import { LoginDto } from '../dto/login.dto';
import { CreateUserDto } from '../dto/create-user.dto';
import { TokenService } from './token.service';
import { SessionService } from '../../session/session.service';
import { UserSessionRepo } from '@docmost/db/repos/session/user-session.repo';
import { SignupService } from './signup.service';
import { CreateAdminUserDto } from '../dto/create-admin-user.dto';
import { UserRepo } from '@docmost/db/repos/user/user.repo';
@@ -44,6 +46,8 @@ export class AuthService {
constructor(
private signupService: SignupService,
private tokenService: TokenService,
private sessionService: SessionService,
private userSessionRepo: UserSessionRepo,
private userRepo: UserRepo,
private userTokenRepo: UserTokenRepo,
private mailService: MailService,
@@ -90,19 +94,19 @@ export class AuthService {
metadata: { source: 'password' },
});
return this.tokenService.generateAccessToken(user);
return this.sessionService.createSessionAndToken(user);
}
async register(createUserDto: CreateUserDto, workspaceId: string) {
const user = await this.signupService.signup(createUserDto, workspaceId);
return this.tokenService.generateAccessToken(user);
return this.sessionService.createSessionAndToken(user);
}
async setup(createAdminUserDto: CreateAdminUserDto) {
const { workspace, user } =
await this.signupService.initialSetup(createAdminUserDto);
const authToken = await this.tokenService.generateAccessToken(user);
const authToken = await this.sessionService.createSessionAndToken(user);
return { workspace, authToken };
}
@@ -110,6 +114,7 @@ export class AuthService {
dto: ChangePasswordDto,
userId: string,
workspaceId: string,
currentSessionId?: string,
): Promise<void> {
const user = await this.userRepo.findById(userId, workspaceId, {
includePassword: true,
@@ -138,6 +143,16 @@ export class AuthService {
workspaceId,
);
if (currentSessionId) {
await this.userSessionRepo.deleteAllExceptCurrent(
currentSessionId,
userId,
workspaceId,
);
} else {
await this.userSessionRepo.deleteByUserId(userId, workspaceId);
}
this.auditService.log({
event: AuditEvent.USER_PASSWORD_CHANGED,
resourceType: AuditResource.USER,
@@ -244,6 +259,8 @@ export class AuthService {
.execute();
});
await this.userSessionRepo.deleteByUserId(user.id, workspace.id);
this.auditService.setActorId(user.id);
this.auditService.log({
event: AuditEvent.USER_PASSWORD_RESET,
@@ -276,7 +293,7 @@ export class AuthService {
};
}
const authToken = await this.tokenService.generateAccessToken(user);
const authToken = await this.sessionService.createSessionAndToken(user);
return { authToken };
}
apps/server/src/core/auth/services/token.service.ts
+2 -1
View File
@@ -25,7 +25,7 @@ export class TokenService {
private environmentService: EnvironmentService,
) {}
async generateAccessToken(user: User): Promise<string> {
async generateAccessToken(user: User, sessionId: string): Promise<string> {
if (isUserDisabled(user)) {
throw new ForbiddenException();
}
@@ -35,6 +35,7 @@ export class TokenService {
email: user.email,
workspaceId: user.workspaceId,
type: JwtType.ACCESS,
sessionId,
};
return this.jwtService.sign(payload);
}
apps/server/src/core/auth/strategies/jwt.strategy.ts
+14
View File
@@ -5,6 +5,8 @@ import { EnvironmentService } from '../../../integrations/environment/environmen
import { JwtApiKeyPayload, JwtPayload, JwtType } from '../dto/jwt-payload';
import { WorkspaceRepo } from '@docmost/db/repos/workspace/workspace.repo';
import { UserRepo } from '@docmost/db/repos/user/user.repo';
import { UserSessionRepo } from '@docmost/db/repos/session/user-session.repo';
import { SessionActivityService } from '../../session/session-activity.service';
import { FastifyRequest } from 'fastify';
import { extractBearerTokenFromHeader, isUserDisabled } from '../../../common/helpers';
import { ModuleRef } from '@nestjs/core';
@@ -16,6 +18,8 @@ export class JwtStrategy extends PassportStrategy(Strategy, 'jwt') {
constructor(
private userRepo: UserRepo,
private workspaceRepo: WorkspaceRepo,
private userSessionRepo: UserSessionRepo,
private sessionActivityService: SessionActivityService,
private readonly environmentService: EnvironmentService,
private moduleRef: ModuleRef,
) {
@@ -57,6 +61,16 @@ export class JwtStrategy extends PassportStrategy(Strategy, 'jwt') {
throw new UnauthorizedException();
}
if ((payload as JwtPayload).sessionId) {
const sessionId = (payload as JwtPayload).sessionId;
const session = await this.userSessionRepo.findActiveById(sessionId);
if (!session || session.userId !== payload.sub || session.workspaceId !== payload.workspaceId) {
throw new UnauthorizedException();
}
req.raw.sessionId = sessionId;
this.sessionActivityService.trackActivity(sessionId, payload.sub, payload.workspaceId);
}
return { user, workspace };
}