(request: FastifyRequest)
| 4 | |
| 5 | // Checks session token and returns user object |
| 6 | export async function checkSession(request: FastifyRequest) { |
| 7 | try { |
| 8 | const bearer = request.headers.authorization?.split(" ")[1]; |
| 9 | if (!bearer) { |
| 10 | return null; |
| 11 | } |
| 12 | |
| 13 | // Verify JWT token is valid |
| 14 | var b64string = process.env.SECRET; |
| 15 | var secret = Buffer.from(b64string!, "base64"); |
| 16 | |
| 17 | try { |
| 18 | jwt.verify(bearer, secret); |
| 19 | } catch (e) { |
| 20 | // Token is invalid or expired |
| 21 | await prisma.session.delete({ |
| 22 | where: { sessionToken: bearer }, |
| 23 | }); |
| 24 | return null; |
| 25 | } |
| 26 | |
| 27 | // Check if session exists and is not expired |
| 28 | const session = await prisma.session.findUnique({ |
| 29 | where: { sessionToken: bearer }, |
| 30 | include: { user: true }, |
| 31 | }); |
| 32 | |
| 33 | if (!session || session.expires < new Date()) { |
| 34 | // Session expired or doesn't exist |
| 35 | if (session) { |
| 36 | await prisma.session.delete({ |
| 37 | where: { id: session.id }, |
| 38 | }); |
| 39 | } |
| 40 | return null; |
| 41 | } |
| 42 | |
| 43 | // Verify the request is coming from the same client |
| 44 | const currentUserAgent = request.headers["user-agent"]; |
| 45 | const currentIp = request.ip; |
| 46 | |
| 47 | if ( |
| 48 | session.userAgent !== currentUserAgent && |
| 49 | session.ipAddress !== currentIp |
| 50 | ) { |
| 51 | // Potential session hijacking attempt - invalidate the session |
| 52 | await prisma.session.delete({ |
| 53 | where: { id: session.id }, |
| 54 | }); |
| 55 | |
| 56 | return null; |
| 57 | } |
| 58 | |
| 59 | return session.user; |
| 60 | } catch (error) { |
| 61 | return null; |
| 62 | } |
| 63 | } |
no outgoing calls
no test coverage detected