k1nq/TREK
1
0
Fork 0
mirror of https://github.com/mauriceboe/TREK.git synced 2026-06-19 21:31:46 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
eed9e8ce7c1cccf08cfb9692c014370f18f170b8
TREK/server/src/services/ephemeralTokens.ts
T
Maurice eed9e8ce7c Reject WebSocket tokens minted before a password change 
Stamp the user's password_version onto the ephemeral ws token and verify it on connect, closing the socket (4001) when it no longer matches, so a token issued before a password reset can't be replayed. Tokens minted without a version are treated as version 0, matching the JWT pv-claim semantics.
2026-05-31 15:52:19 +02:00

86 lines
2.5 KiB
TypeScript
Raw Blame History

import crypto from 'crypto';
const TTL: Record<string, number> = {
ws: 30_000,
download: 60_000,
};
const MAX_STORE_SIZE = 10_000;
interface TokenEntry {
userId: number;
purpose: string;
expiresAt: number;
/**
* Snapshot of the user's `password_version` at mint time, used for the
* defence-in-depth session gate on WebSocket connects. `undefined` for
* tokens minted without a version (legacy/other purposes), which callers
* treat as version 0 — mirroring the JWT `pv` claim semantics.
*/
pv?: number;
}
export interface EphemeralTokenMeta {
/** Bind the token to the user's current password_version (session gate). */
pv?: number;
}
const store = new Map<string, TokenEntry>();
export function createEphemeralToken(
userId: number,
purpose: string,
meta?: EphemeralTokenMeta,
): string | null {
if (store.size >= MAX_STORE_SIZE) return null;
const token = crypto.randomBytes(32).toString('hex');
const ttl = TTL[purpose] ?? 60_000;
store.set(token, { userId, purpose, expiresAt: Date.now() + ttl, pv: meta?.pv });
return token;
}
export function consumeEphemeralToken(token: string, purpose: string): number | null {
const entry = store.get(token);
if (!entry) return null;
store.delete(token);
if (entry.purpose !== purpose || Date.now() > entry.expiresAt) return null;
return entry.userId;
}
/**
* Like `consumeEphemeralToken`, but also returns the `password_version` the
* token was minted with. Used by the WebSocket handshake so a token issued
* before a password change can be rejected even within its short TTL.
*/
export function consumeEphemeralTokenWithMeta(
token: string,
purpose: string,
): { userId: number; pv?: number } | null {
const entry = store.get(token);
if (!entry) return null;
store.delete(token);
if (entry.purpose !== purpose || Date.now() > entry.expiresAt) return null;
return { userId: entry.userId, pv: entry.pv };
}
let cleanupInterval: ReturnType<typeof setInterval> | null = null;
export function startTokenCleanup(): void {
if (cleanupInterval) return;
cleanupInterval = setInterval(() => {
const now = Date.now();
for (const [token, entry] of store) {
if (now > entry.expiresAt) store.delete(token);
}
}, 60_000);
// Allow process to exit even if interval is active
if (cleanupInterval.unref) cleanupInterval.unref();
}
export function stopTokenCleanup(): void {
if (cleanupInterval) {
clearInterval(cleanupInterval);
cleanupInterval = null;
}
}
Reference in New Issue View Git Blame Copy Permalink