feat(security): #328 delete old sessions for change and forgot password

2024-12-17 22:21:46 +01:00
parent 957341eda5
commit b3308d6a90
13 changed files with 288 additions and 120 deletions
--- a/db/auth.go
+++ b/db/auth.go
@@ -100,6 +100,7 @@ type Auth interface {

 	InsertSession(session *Session) error
 	GetSession(sessionId string) (*Session, error)
+	GetSessions(userId uuid.UUID) ([]*Session, error)
 	DeleteSession(sessionId string) error
 	DeleteOldSessions(userId uuid.UUID) error
 }
@@ -416,9 +417,40 @@ func (db AuthSqlite) GetSession(sessionId string) (*Session, error) {
 	return NewSession(sessionId, userId, createdAt, expiresAt), nil
 }

+func (db AuthSqlite) GetSessions(userId uuid.UUID) ([]*Session, error) {
+
+	sessions, err := db.db.Query(`
+			SELECT session_id, created_at, expires_at
+			FROM session 
+			WHERE user_id = ?`, userId)
+	if err != nil {
+		log.Error("Could not get sessions: %v", err)
+		return nil, types.ErrInternal
+	}
+
+	var result []*Session
+
+	for sessions.Next() {
+		var (
+			sessionId string
+			createdAt time.Time
+			expiresAt time.Time
+		)
+
+		sessions.Scan(&sessionId, &createdAt, &expiresAt)
+
+		session := NewSession(sessionId, userId, createdAt, expiresAt)
+		result = append(result, session)
+	}
+
+	return result, nil
+}
+
 func (db AuthSqlite) DeleteOldSessions(userId uuid.UUID) error {
-	// Delete old inactive sessions
-	_, err := db.db.Exec("DELETE FROM session WHERE created_at < datetime('now','-8 hours') AND user_id = ?", userId)
+	_, err := db.db.Exec(`
+		DELETE FROM session 
+		WHERE expires_at < datetime('now')
+		  AND user_id = ?`, userId)
 	if err != nil {
 		log.Error("Could not delete old sessions: %v", err)
 		return types.ErrInternal