MCPcopy
hub / github.com/Peppermint-Lab/peppermint / checkSession

Function checkSession

apps/api/src/lib/session.ts:6–63  ·  view source on GitHub ↗
(request: FastifyRequest)

Source from the content-addressed store, hash-verified

4
5// Checks session token and returns user object
6export async function checkSession(request: FastifyRequest) {
7 try {
8 const bearer = request.headers.authorization?.split(" ")[1];
9 if (!bearer) {
10 return null;
11 }
12
13 // Verify JWT token is valid
14 var b64string = process.env.SECRET;
15 var secret = Buffer.from(b64string!, "base64");
16
17 try {
18 jwt.verify(bearer, secret);
19 } catch (e) {
20 // Token is invalid or expired
21 await prisma.session.delete({
22 where: { sessionToken: bearer },
23 });
24 return null;
25 }
26
27 // Check if session exists and is not expired
28 const session = await prisma.session.findUnique({
29 where: { sessionToken: bearer },
30 include: { user: true },
31 });
32
33 if (!session || session.expires < new Date()) {
34 // Session expired or doesn't exist
35 if (session) {
36 await prisma.session.delete({
37 where: { id: session.id },
38 });
39 }
40 return null;
41 }
42
43 // Verify the request is coming from the same client
44 const currentUserAgent = request.headers["user-agent"];
45 const currentIp = request.ip;
46
47 if (
48 session.userAgent !== currentUserAgent &&
49 session.ipAddress !== currentIp
50 ) {
51 // Potential session hijacking attempt - invalidate the session
52 await prisma.session.delete({
53 where: { id: session.id },
54 });
55
56 return null;
57 }
58
59 return session.user;
60 } catch (error) {
61 return null;
62 }
63}

Callers 7

roleRoutesFunction · 0.90
userRoutesFunction · 0.90
notebookRoutesFunction · 0.90
ticketRoutesFunction · 0.90
authRoutesFunction · 0.90
webhookRoutesFunction · 0.90
requirePermissionFunction · 0.90

Calls

no outgoing calls

Tested by

no test coverage detected