steve/check-printing
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(auth): harden session lifecycle, reset links, and OIDC logging

Browse Source 
- Fix session store expiry: cookie.maxAge is already in milliseconds, so
  stored sessions outlived the cookie by 1000x
- Regenerate the session ID on login, first-run setup, and OIDC login to
  prevent session fixation
- Mark session cookies Secure on TLS connections (secure: 'auto') and add
  TRUST_PROXY support for reverse-proxy deployments
- Build password reset links from APP_BASE_URL instead of the Host header
  to prevent reset-link poisoning
- Rate-limit forgot-password requests (5 per IP per 15 minutes)
- Strip OIDC debug logging that leaked authorization codes, subject IDs,
  and emails to logs
This commit is contained in:
Steve Dogiakos
2026-06-11 21:54:35 -06:00
parent 427b064af1
commit 3fd3285c13
6 changed files with 109 additions and 84 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.env.example
+8
View File
@@ -6,6 +6,14 @@ SESSION_MAX_AGE_HOURS=168 # default: 168 (7 days)
PORT=3000
DB_PATH=/app/data/check-printing.db
# Public base URL of the app — used to build password reset links.
# Strongly recommended in production (prevents host-header link poisoning).
APP_BASE_URL=https://checks.example.com
# Set to 1 when running behind a reverse proxy (TLS termination) so client IPs
# and HTTPS detection work correctly. Leave unset for direct LAN access.
TRUST_PROXY=
# OIDC / SSO (optional — omit or leave blank to disable)
OIDC_ENABLED=false
OIDC_DISCOVERY_URL=https://auth.example.com/.well-known/openid-configuration
README.md
+5
View File
@@ -162,6 +162,8 @@ docker exec -it check-printing node migrations/import-mdb.js \
| `SESSION_MAX_AGE_HOURS` | `168` | Session lifetime in hours (default 7 days) |
| `PORT` | `3000` | HTTP listen port |
| `DB_PATH` | `/app/data/check-printing.db` | SQLite database file path |
| `APP_BASE_URL` | *(empty)* | Public base URL used in password reset links, e.g. `https://checks.example.com`. Recommended in production |
| `TRUST_PROXY` | *(empty)* | Set to `1` when running behind a reverse proxy so client IPs and HTTPS detection work correctly |
| `OIDC_ENABLED` | *(empty)* | Set to `true` or `1` to enable OIDC login |
| `OIDC_DISCOVERY_URL` | *(empty)* | Provider's `.well-known/openid-configuration` URL |
| `OIDC_CLIENT_ID` | *(empty)* | OIDC client ID |
@@ -185,6 +187,9 @@ services:
- check-printing-data:/app/data
environment:
- SESSION_SECRET=${SESSION_SECRET}
# Optional: public base URL for reset links, reverse-proxy support
- APP_BASE_URL=${APP_BASE_URL:-}
- TRUST_PROXY=${TRUST_PROXY:-}
# Optional: OIDC / SSO
- OIDC_ENABLED=${OIDC_ENABLED:-}
- OIDC_DISCOVERY_URL=${OIDC_DISCOVERY_URL:-}
docker-compose.yml
+4
View File
@@ -14,6 +14,10 @@ services:
- DB_PATH=/app/data/check-printing.db
# Required in production — generate with: openssl rand -hex 32
- SESSION_SECRET=${SESSION_SECRET}
# Public base URL for password reset links (recommended)
- APP_BASE_URL=${APP_BASE_URL:-}
# Set to 1 when behind a reverse proxy / TLS termination
- TRUST_PROXY=${TRUST_PROXY:-}
# OIDC / SSO (optional — omit or leave blank to disable)
- OIDC_ENABLED=${OIDC_ENABLED:-}
- OIDC_DISCOVERY_URL=${OIDC_DISCOVERY_URL:-}
src/app.js
+9 -1
View File
@@ -27,12 +27,20 @@ const SESSION_SECRET = process.env.SESSION_SECRET;
const SESSION_MAX_AGE_MS = (parseInt(process.env.SESSION_MAX_AGE_HOURS, 10) || 168) * 60 * 60 * 1000;
// Behind a reverse proxy (TLS termination), set TRUST_PROXY=1 so req.ip and
// req.protocol reflect the original client instead of the proxy.
if (process.env.TRUST_PROXY === '1' || process.env.TRUST_PROXY === 'true') {
app.set('trust proxy', 1);
}
app.use(session({
store: new SessionStore(db),
secret: SESSION_SECRET,
resave: false,
saveUninitialized: false,
cookie: { httpOnly: true, sameSite: 'strict', maxAge: SESSION_MAX_AGE_MS },
// secure: 'auto' marks the cookie Secure only on TLS connections, so plain-HTTP
// LAN deployments keep working while proxied HTTPS deployments get Secure cookies
cookie: { httpOnly: true, sameSite: 'strict', secure: 'auto', maxAge: SESSION_MAX_AGE_MS },
}));
// Security headers
src/lib/SessionStore.js
+2 -1
View File
@@ -28,8 +28,9 @@ class SessionStore extends Store {
set(sid, sess, cb) {
try {
// cookie.maxAge is already in milliseconds
const maxAge = (sess.cookie && sess.cookie.maxAge)
? sess.cookie.maxAge * 1000
? sess.cookie.maxAge
: 7 * 24 * 60 * 60 * 1000;
const expired = Date.now() + maxAge;
this.db.prepare(
src/routes/auth.js
+69 -70
View File
@@ -15,44 +15,56 @@ function validatePassword(password) {
return null;
}
// ── Login rate limiter ────────────────────────────────────────────────────────
// Tracks failed login attempts per IP. After 10 failures within 15 minutes,
// ── Rate limiting ─────────────────────────────────────────────────────────────
// Sliding-window counter per key (IP). After `max` hits within `windowMs`,
// further attempts are blocked until the window resets.
const loginAttempts = new Map(); // ip -> { count, resetAt }
const RATE_WINDOW_MS = 15 * 60 * 1000; // 15 minutes
const RATE_MAX_FAILS = 10;
function makeRateLimiter(max, windowMs) {
const attempts = new Map(); // key -> { count, resetAt }
function checkLoginRate(ip) {
// Purge stale entries every 30 minutes to prevent unbounded memory growth
setInterval(() => {
const now = Date.now();
const entry = loginAttempts.get(ip);
if (!entry || now > entry.resetAt) {
loginAttempts.set(ip, { count: 0, resetAt: now + RATE_WINDOW_MS });
return true; // allow
for (const [key, entry] of attempts) {
if (now > entry.resetAt) attempts.delete(key);
}
return entry.count < RATE_MAX_FAILS;
}
}, 30 * 60 * 1000).unref();
function recordLoginFailure(ip) {
return {
allowed(key) {
const entry = attempts.get(key);
if (!entry || Date.now() > entry.resetAt) return true;
return entry.count < max;
},
record(key) {
const now = Date.now();
const entry = loginAttempts.get(ip);
const entry = attempts.get(key);
if (!entry || now > entry.resetAt) {
loginAttempts.set(ip, { count: 1, resetAt: now + RATE_WINDOW_MS });
attempts.set(key, { count: 1, resetAt: now + windowMs });
} else {
entry.count++;
}
},
clear(key) {
attempts.delete(key);
},
};
}
function clearLoginFailures(ip) {
loginAttempts.delete(ip);
}
// 10 failed logins per IP per 15 minutes
const loginLimiter = makeRateLimiter(10, 15 * 60 * 1000);
// 5 reset emails per IP per 15 minutes (counts every request, success or not)
const resetLimiter = makeRateLimiter(5, 15 * 60 * 1000);
// Purge stale entries every 30 minutes to prevent unbounded memory growth
setInterval(() => {
const now = Date.now();
for (const [ip, entry] of loginAttempts) {
if (now > entry.resetAt) loginAttempts.delete(ip);
}
}, 30 * 60 * 1000).unref();
// Regenerates the session ID before establishing a login (prevents session fixation)
function establishSession(req, user, cb) {
req.session.regenerate(err => {
if (err) return cb(err);
req.session.userId = user.id;
req.session.username = user.username;
req.session.role = user.role;
cb(null);
});
}
// GET /api/auth/setup-needed — true when no users exist (first-run)
router.get('/setup-needed', (req, res) => {
@@ -75,18 +87,18 @@ router.post('/setup', async (req, res) => {
"INSERT INTO users (username, password_hash, role) VALUES (?, ?, 'admin')"
).run(username.trim(), hash);
req.session.userId = result.lastInsertRowid;
req.session.username = username.trim();
req.session.role = 'admin';
res.status(201).json({ id: result.lastInsertRowid, username: username.trim(), role: 'admin' });
const user = { id: result.lastInsertRowid, username: username.trim(), role: 'admin' };
establishSession(req, user, err => {
if (err) return res.status(500).json({ error: 'Failed to create session.' });
res.status(201).json(user);
});
});
// POST /api/auth/login
router.post('/login', async (req, res) => {
const ip = req.ip || req.socket.remoteAddress || 'unknown';
if (!checkLoginRate(ip)) {
if (!loginLimiter.allowed(ip)) {
return res.status(429).json({ error: 'Too many failed login attempts. Please try again later.' });
}
@@ -95,22 +107,21 @@ router.post('/login', async (req, res) => {
const user = db.prepare('SELECT * FROM users WHERE username = ? COLLATE NOCASE').get(username.trim());
if (!user) {
recordLoginFailure(ip);
loginLimiter.record(ip);
return res.status(401).json({ error: 'Invalid username or password.' });
}
const match = await bcrypt.compare(password, user.password_hash);
if (!match) {
recordLoginFailure(ip);
loginLimiter.record(ip);
return res.status(401).json({ error: 'Invalid username or password.' });
}
clearLoginFailures(ip);
req.session.userId = user.id;
req.session.username = user.username;
req.session.role = user.role;
loginLimiter.clear(ip);
establishSession(req, user, err => {
if (err) return res.status(500).json({ error: 'Failed to create session.' });
res.json({ id: user.id, username: user.username, role: user.role });
});
});
// POST /api/auth/logout
@@ -154,6 +165,12 @@ router.post('/change-password', async (req, res) => {
// POST /api/auth/forgot-password — always 200 to avoid user enumeration
router.post('/forgot-password', async (req, res) => {
const ip = req.ip || req.socket.remoteAddress || 'unknown';
if (!resetLimiter.allowed(ip)) {
return res.status(429).json({ error: 'Too many reset requests. Please try again later.' });
}
resetLimiter.record(ip);
const { email } = req.body;
if (!email) return res.status(400).json({ error: 'Email is required.' });
@@ -168,7 +185,9 @@ router.post('/forgot-password', async (req, res) => {
db.prepare('INSERT INTO password_reset_tokens (user_id, token_hash, expires_at) VALUES (?, ?, ?)').run(user.id, tokenHash, expiresAt);
})();
const baseUrl = `${req.protocol}://${req.get('host')}`;
// Prefer the configured base URL; deriving it from the Host header lets an
// attacker poison reset links (host header injection)
const baseUrl = (process.env.APP_BASE_URL || `${req.protocol}://${req.get('host')}`).replace(/\/+$/, '');
const resetLink = `${baseUrl}/#reset?token=${token}`;
try {
@@ -221,17 +240,13 @@ function getOidcSettings() {
async function getOidcClient(settings) {
const { Issuer } = require('openid-client');
console.log('[oidc] discovering issuer from:', settings.discovery_url);
const issuer = await Issuer.discover(settings.discovery_url);
console.log('[oidc] discovered issuer:', issuer.issuer);
const client = new issuer.Client({
return new issuer.Client({
client_id: settings.client_id,
client_secret: settings.client_secret,
redirect_uris: [settings.redirect_uri],
response_types: ['code'],
});
console.log('[oidc] client created, redirect_uri:', settings.redirect_uri);
return client;
}
// GET /api/auth/oidc/config — public, returns whether OIDC is enabled + button label
@@ -244,8 +259,6 @@ router.get('/oidc/config', (req, res) => {
router.get('/oidc/authorize', async (req, res) => {
try {
const settings = getOidcSettings();
console.log('[oidc] authorize: enabled=%s, discovery_url=%s, client_id=%s, redirect_uri=%s',
settings.enabled, settings.discovery_url, settings.client_id, settings.redirect_uri);
if (!settings.enabled) return res.status(400).json({ error: 'OIDC is not enabled.' });
const { generators } = require('openid-client');
@@ -266,11 +279,10 @@ router.get('/oidc/authorize', async (req, res) => {
code_challenge_method: 'S256',
});
console.log('[oidc] authorize: redirecting to:', authUrl.substring(0, 200) + '...');
// Ensure session is persisted before redirecting (saveUninitialized is false)
req.session.save(() => res.redirect(authUrl));
} catch (err) {
console.error('[oidc] authorize error:', err.message, err.stack);
console.error('[oidc] authorize error:', err.message);
res.redirect('/#oidc-error=' + encodeURIComponent('Failed to initiate SSO login.'));
}
});
@@ -278,7 +290,6 @@ router.get('/oidc/authorize', async (req, res) => {
// GET /api/auth/oidc/callback — handles the provider redirect
router.get('/oidc/callback', async (req, res) => {
try {
console.log('[oidc] callback: query params:', JSON.stringify(req.query));
const settings = getOidcSettings();
if (!settings.enabled) return res.redirect('/#oidc-error=' + encodeURIComponent('OIDC is not enabled.'));
@@ -287,12 +298,9 @@ router.get('/oidc/callback', async (req, res) => {
console.error('[oidc] callback: no oidc session data found — session may have expired or cookie lost');
return res.redirect('/#oidc-error=' + encodeURIComponent('Session expired. Please try again.'));
}
console.log('[oidc] callback: session has oidc data, linking=%s, linkUserId=%s',
!!oidcSession.linking, oidcSession.linkUserId || 'n/a');
const client = await getOidcClient(settings);
const params = client.callbackParams(req);
console.log('[oidc] callback: exchanging code for tokens...');
const tokenSet = await client.callback(settings.redirect_uri, params, {
code_verifier: oidcSession.code_verifier,
@@ -303,25 +311,21 @@ router.get('/oidc/callback', async (req, res) => {
const claims = tokenSet.claims();
const sub = claims.sub;
const issuer = claims.iss;
console.log('[oidc] callback: token exchange OK, sub=%s, iss=%s, email=%s, name=%s',
sub, issuer, claims.email || 'n/a', claims.name || 'n/a');
delete req.session.oidc;
// Self-service linking flow
if (oidcSession.linking && oidcSession.linkUserId) {
console.log('[oidc] callback: linking flow for userId=%s', oidcSession.linkUserId);
const existing = db.prepare(
'SELECT id FROM users WHERE oidc_issuer = ? AND oidc_sub = ? AND id != ?'
).get(issuer, sub, oidcSession.linkUserId);
if (existing) {
console.warn('[oidc] callback: identity already linked to userId=%s', existing.id);
return res.redirect('/#oidc-error=' + encodeURIComponent('This identity is already linked to another account.'));
}
db.prepare("UPDATE users SET oidc_sub = ?, oidc_issuer = ?, updated_at = datetime('now') WHERE id = ?")
.run(sub, issuer, oidcSession.linkUserId);
console.log('[oidc] callback: linked sub=%s to userId=%s', sub, oidcSession.linkUserId);
console.log('[oidc] linked identity to userId=%s', oidcSession.linkUserId);
return res.redirect('/#oidc-linked');
}
@@ -331,26 +335,23 @@ router.get('/oidc/callback', async (req, res) => {
).get(issuer, sub);
if (!user) {
console.warn('[oidc] callback: no user found for iss=%s sub=%s — not linked', issuer, sub);
console.warn('[oidc] callback: identity not linked to any user');
return res.redirect('/#oidc-error=' + encodeURIComponent(
'No account is linked to this identity. Ask an admin to link your account, or sign in with your password and link it yourself.'
));
}
console.log('[oidc] callback: login success, userId=%s, username=%s, role=%s', user.id, user.username, user.role);
req.session.userId = user.id;
req.session.username = user.username;
req.session.role = user.role;
console.log('[oidc] login success for userId=%s', user.id);
establishSession(req, user, err => {
if (err) return res.redirect('/#oidc-error=' + encodeURIComponent('SSO login failed. Please try again.'));
// Load account access into session (mirrors login behavior)
if (user.role !== 'admin') {
const accts = db.prepare('SELECT account_id, role FROM user_accounts WHERE user_id = ?').all(user.id);
req.session.accounts = accts;
req.session.accounts = db.prepare('SELECT account_id, role FROM user_accounts WHERE user_id = ?').all(user.id);
}
res.redirect('/');
});
} catch (err) {
console.error('[oidc] callback error:', err.message, err.stack);
console.error('[oidc] callback error:', err.message);
res.redirect('/#oidc-error=' + encodeURIComponent('SSO login failed. Please try again.'));
}
});
@@ -362,7 +363,6 @@ router.get('/oidc/link', async (req, res) => {
}
try {
console.log('[oidc] link: userId=%s initiating linking flow', req.session.userId);
const settings = getOidcSettings();
if (!settings.enabled) return res.redirect('/#oidc-error=' + encodeURIComponent('OIDC is not enabled.'));
@@ -384,10 +384,9 @@ router.get('/oidc/link', async (req, res) => {
code_challenge_method: 'S256',
});
console.log('[oidc] link: redirecting to provider');
req.session.save(() => res.redirect(authUrl));
} catch (err) {
console.error('[oidc] link error:', err.message, err.stack);
console.error('[oidc] link error:', err.message);
res.redirect('/#oidc-error=' + encodeURIComponent('Failed to initiate SSO linking.'));
}
});