Merge pull request #2338 from nocodb/fix/insufficient-session-expiration

fix: insufficient session expiration
2 years ago · c9b5111b25
9 changed files with 101 additions and 19 deletions
--- a/packages/nc-gui/pages/user/settings/index.vue
+++ b/packages/nc-gui/pages/user/settings/index.vue
@ -227,8 +227,10 @@ export default {
              newPassword: this.passwordDetails.newPassword
            }
          )
-          this.$toast.success('Password changed successfully.').goAway(3000)
+          this.$toast.success('Password changed successfully. Please login again.').goAway(3000)
          this.$refs.formType[0].reset()
+          await this.$store.dispatch('users/ActSignOut')
+          this.$router.push('/user/authentication/signin')
        } catch (e) {
          this.$toast
            .error(await this._extractSdkResponseErrorMsg(e))
--- a/packages/nc-gui/plugins/axiosInterceptor.js
+++ b/packages/nc-gui/plugins/axiosInterceptor.js
@ -77,7 +77,7 @@ export default ({ store, $axios, redirect, $toast, route, app }) => {
          redirect('/')
        } else {
          $toast.clear()
-          $toast.info('Token expired please login to continue', {
+          $toast.info('Token Expired. Please login again.', {
            position: 'bottom-center'
          }).goAway(5000)
          redirect('/user/authentication/signin')
--- a/packages/nocodb/src/lib/meta/api/userApi/initStrategies.ts
+++ b/packages/nocodb/src/lib/meta/api/userApi/initStrategies.ts
@ -53,7 +53,8 @@ export function initStrategies(router): void {
      firstname,
      lastname,
      isAuthorized,
-      isPublicBase
+      isPublicBase,
+      token_version
    },
    done
  ) {
@ -72,7 +73,8 @@ export function initStrategies(router): void {
      provider,
      firstname,
      lastname,
-      roles
+      roles,
+      token_version
    });
  });

@ -100,11 +102,17 @@ export function initStrategies(router): void {
        );

        if (cachedVal) {
+          if (cachedVal.token_version !== jwtPayload.token_version) {
+            return done(new Error('Token Expired. Please login again.'));
+          }
          return done(null, cachedVal);
        }

        User.getByEmail(jwtPayload?.email)
          .then(async user => {
+            if (user.token_version !== jwtPayload.token_version) {
+              return done(new Error('Token Expired. Please login again.'));
+            }
            if (req.ncProjectId) {
              // this.xcMeta
              //   .metaGet(req.ncProjectId, null, 'nc_projects_users', {
--- a/packages/nocodb/src/lib/meta/api/userApi/userApis.ts
+++ b/packages/nocodb/src/lib/meta/api/userApi/userApis.ts
@ -71,7 +71,8 @@ export async function signup(req: Request, res: Response<TableType>) {
        password,
        email_verification_token,
        invite_token: null,
-        invite_token_expires: null
+        invite_token_expires: null,
+        email: user.email
      });
    } else {
      NcError.badRequest('User already exist');
@ -95,6 +96,8 @@ export async function signup(req: Request, res: Response<TableType>) {
      }
    }

+    const token_version = randomTokenString();
+
    await User.insert({
      firstname,
      lastname,
@ -102,7 +105,8 @@ export async function signup(req: Request, res: Response<TableType>) {
      salt,
      password,
      email_verification_token,
-      roles
+      roles,
+      token_version
    });
  }
  user = await User.getByEmail(email);
@ -126,7 +130,8 @@ export async function signup(req: Request, res: Response<TableType>) {
  await promisify((req as any).login.bind(req))(user);
  const refreshToken = randomTokenString();
  await User.update(user.id, {
-    refresh_token: refreshToken
+    refresh_token: refreshToken,
+    email: user.email
  });

  setTokenCookie(res, refreshToken);
@ -148,7 +153,8 @@ export async function signup(req: Request, res: Response<TableType>) {
        firstname: user.firstname,
        lastname: user.lastname,
        id: user.id,
-        roles: user.roles
+        roles: user.roles,
+        token_version: user.token_version
      },
      Noco.getConfig().auth.jwt.secret,
      Noco.getConfig().auth.jwt.options
@ -178,8 +184,15 @@ async function successfulSignIn({
    await promisify((req as any).login.bind(req))(user);
    const refreshToken = randomTokenString();

+    let token_version = user.token_version;
+    if (!token_version) {
+      token_version = randomTokenString();
+    }
+
    await User.update(user.id, {
-      refresh_token: refreshToken
+      refresh_token: refreshToken,
+      email: user.email,
+      token_version
    });
    setTokenCookie(res, refreshToken);

@ -198,7 +211,8 @@ async function successfulSignIn({
          firstname: user.firstname,
          lastname: user.lastname,
          id: user.id,
-          roles: user.roles
+          roles: user.roles,
+          token_version
        },

        Noco.getConfig().auth.jwt.secret,
@ -249,6 +263,7 @@ async function googleSignin(req, res, next) {
 function randomTokenString(): string {
  return crypto.randomBytes(40).toString('hex');
 }
+
 function setTokenCookie(res, token): void {
  // create http only cookie with refresh token that expires in 7 days
  const cookieOptions = {
@ -285,7 +300,8 @@ async function passwordChange(req: Request<any, any>, res): Promise<any> {
  await User.update(user.id, {
    salt,
    password,
-    email: user.email
+    email: user.email,
+    token_version: null
  });

  Audit.insert({
@ -311,8 +327,10 @@ async function passwordForgot(req: Request<any, any>, res): Promise<any> {
  if (user) {
    const token = uuidv4();
    await User.update(user.id, {
+      email: user.email,
      reset_password_token: token,
-      reset_password_expires: new Date(Date.now() + 60 * 60 * 1000)
+      reset_password_expires: new Date(Date.now() + 60 * 60 * 1000),
+      token_version: null
    });
    try {
      const template = (await import('./ui/emailTemplates/forgotPassword'))
@ -363,6 +381,9 @@ async function tokenValidate(req, res): Promise<any> {
  if (user.reset_password_expires < new Date()) {
    NcError.badRequest('Password reset url expired');
  }
+  if (!user.token_version) {
+    NcError.badRequest('Token Expired. Please login again.');
+  }
  res.json(true);
 }

@ -389,8 +410,10 @@ async function passwordReset(req, res): Promise<any> {
  await User.update(user.id, {
    salt,
    password,
+    email: user.email,
    reset_password_expires: null,
-    reset_password_token: ''
+    reset_password_token: '',
+    token_version: null
  });

  Audit.insert({
@ -416,6 +439,7 @@ async function emailVerification(req, res): Promise<any> {
  }

  await User.update(user.id, {
+    email: user.email,
    email_verification_token: '',
    email_verified: true
  });
@ -446,6 +470,7 @@ async function refreshToken(req, res): Promise<any> {
    const refreshToken = randomTokenString();

    await User.update(user.id, {
+      email: user.email,
      refresh_token: refreshToken
    });

--- a/packages/nocodb/src/lib/meta/helpers/ncMetaAclMw.ts
+++ b/packages/nocodb/src/lib/meta/helpers/ncMetaAclMw.ts
@ -2,10 +2,11 @@ import projectAcl from '../../utils/projectAcl';
 import { NextFunction, Request, Response } from 'express';
 import catchError, { NcError } from './catchError';
 import extractProjectIdAndAuthenticate from './extractProjectIdAndAuthenticate';
+
 export default function(handlerFn, permissionName) {
  return [
    extractProjectIdAndAuthenticate,
-    catchError(function authMiddleware(req, _res, next) {
+    catchError(async function authMiddleware(req, _res, next) {
      const roles = req?.session?.passport?.user?.roles;
      if (
        !(
--- a/packages/nocodb/src/lib/migrations/XcMigrationSourcev2.ts
+++ b/packages/nocodb/src/lib/migrations/XcMigrationSourcev2.ts
@ -4,6 +4,7 @@ import * as nc_013_sync_source from './v2/nc_013_sync_source';
 import * as nc_014_alter_column_data_types from './v2/nc_014_alter_column_data_types';
 import * as nc_015_add_meta_col_in_column_table from './v2/nc_015_add_meta_col_in_column_table';
 import * as nc_016_alter_hooklog_payload_types from './v2/nc_016_alter_hooklog_payload_types';
+import * as nc_017_add_user_token_version_column from './v2/nc_017_add_user_token_version_column';

 // Create a custom migration source class
 export default class XcMigrationSourcev2 {
@ -18,7 +19,8 @@ export default class XcMigrationSourcev2 {
      'nc_013_sync_source',
      'nc_014_alter_column_data_types',
      'nc_015_add_meta_col_in_column_table',
-      'nc_016_alter_hooklog_payload_types'
+      'nc_016_alter_hooklog_payload_types',
+      'nc_017_add_user_token_version_column'
    ]);
  }

@ -40,6 +42,8 @@ export default class XcMigrationSourcev2 {
        return nc_015_add_meta_col_in_column_table;
      case 'nc_016_alter_hooklog_payload_types':
        return nc_016_alter_hooklog_payload_types;
+      case 'nc_017_add_user_token_version_column':
+        return nc_017_add_user_token_version_column;
    }
  }
 }
--- a/packages/nocodb/src/lib/migrations/v2/nc_017_add_user_token_version_column.ts
+++ b/packages/nocodb/src/lib/migrations/v2/nc_017_add_user_token_version_column.ts
@ -0,0 +1,37 @@
+import Knex from 'knex';
+
+const up = async (knex: Knex) => {
+  await knex.schema.alterTable('nc_users_v2', table => {
+    table.string('token_version');
+  });
+};
+
+const down = async knex => {
+  await knex.schema.alterTable('nc_users_v2', table => {
+    table.dropColumns('token_version');
+  });
+};
+
+export { up, down };
+
+/**
+ * @copyright Copyright (c) 2021, Xgene Cloud Ltd
+ *
+ * @author Wing-Kam Wong <wingkwong.code@gmail.com>
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
--- a/packages/nocodb/src/lib/models/User.ts
+++ b/packages/nocodb/src/lib/models/User.ts
@ -22,6 +22,7 @@ export default class User implements UserType {
  email_verification_token?: string;
  email_verified: boolean;
  roles?: string;
+  token_version?: string;

  constructor(data: User) {
    Object.assign(this, data);
@ -43,7 +44,8 @@ export default class User implements UserType {
      'reset_password_token',
      'email_verification_token',
      'email_verified',
-      'roles'
+      'roles',
+      'token_version'
    ]);
    const { id } = await ncMeta.metaInsert2(
      null,
@ -71,7 +73,8 @@ export default class User implements UserType {
      'reset_password_token',
      'email_verification_token',
      'email_verified',
-      'roles'
+      'roles',
+      'token_version'
    ]);
    // get existing cache
    const keys = [
--- a/packages/nocodb/src/lib/v1-legacy/rest/RestAuthCtrl.ts
+++ b/packages/nocodb/src/lib/v1-legacy/rest/RestAuthCtrl.ts
@ -42,7 +42,8 @@ passport.serializeUser(function(
    firstname,
    lastname,
    isAuthorized,
-    isPublicBase
+    isPublicBase,
+    token_version
  },
  done
 ) {
@ -61,7 +62,8 @@ passport.serializeUser(function(
    provider,
    firstname,
    lastname,
-    roles
+    roles,
+    token_version
  });
 });