Add COUPLE_SESSION_WITH_COOKIE_NAME env var (#1881)

* Add COUPLE_SESSION_WITH_COOKIE_NAME env var

This means the user's session will be reset if the value of the coupled cookie name changes.

Useful if the app is deployed on a subpath of another site, and you want to reset the session when the auth
for the user changes

* fix test

.env

@@ -80,6 +80,9 @@ ALTERNATIVE_REDIRECT_URLS=`[]`
 ### Cookies
 # name of the cookie used to store the session
 COOKIE_NAME=hf-chat
+# If the value of this cookie changes, the session is destroyed. Useful if chat-ui is deployed on a subpath
+# of your domain, and you want chat ui sessions to reset if the user's auth changes
+COUPLE_SESSION_WITH_COOKIE_NAME=
 # specify secure behaviour for cookies 
 COOKIE_SAMESITE=# can be "lax", "strict", "none" or left empty
 COOKIE_SECURE=# set to true to only allow cookies over https

src/lib/server/auth.ts

@@ -17,6 +17,7 @@ import { logger } from "$lib/server/logger";
 import { ObjectId } from "mongodb";
 import type { Cookie } from "elysia";
 import { adminTokenManager } from "./adminToken";
+import type { User } from "$lib/types/User";
 
 export interface OIDCSettings {
 	redirectURI: string;
@@ -72,14 +73,27 @@ export function refreshSessionCookie(cookies: Cookies, sessionId: string) {
 	});
 }
 
-export async function findUser(sessionId: string) {
+export async function findUser(
+	sessionId: string,
+	coupledCookieHash?: string
+): Promise<{
+	user: User | null;
+	invalidateSession: boolean;
+}> {
 	const session = await collections.sessions.findOne({ sessionId });
 
 	if (!session) {
-		return null;
+		return { user: null, invalidateSession: false };
+	}
+
+	if (coupledCookieHash && session.coupledCookieHash !== coupledCookieHash) {
+		return { user: null, invalidateSession: true };
 	}
 
-	return await collections.users.findOne({ _id: session.userId });
+	return {
+		user: await collections.users.findOne({ _id: session.userId }),
+		invalidateSession: false,
+	};
 }
 export const authCondition = (locals: App.Locals) => {
 	if (!locals.user && !locals.sessionId) {
@@ -191,6 +205,23 @@ type HeaderRecord =
 	| { type: "elysia"; value: Record<string, string | undefined> }
 	| { type: "svelte"; value: Headers };
 
+export async function getCoupledCookieHash(cookie: CookieRecord): Promise<string | undefined> {
+	if (!config.COUPLE_SESSION_WITH_COOKIE_NAME) {
+		return undefined;
+	}
+
+	const cookieValue =
+		cookie.type === "elysia"
+			? cookie.value[config.COUPLE_SESSION_WITH_COOKIE_NAME]?.value
+			: cookie.value.get(config.COUPLE_SESSION_WITH_COOKIE_NAME);
+
+	if (!cookieValue) {
+		return "no-cookie";
+	}
+
+	return await sha256(cookieValue);
+}
+
 export async function authenticateRequest(
 	headers: HeaderRecord,
 	cookie: CookieRecord,
@@ -238,12 +269,23 @@ export async function authenticateRequest(
 	if (token) {
 		secretSessionId = token;
 		sessionId = await sha256(token);
-		const user = await findUser(sessionId);
+
+		const result = await findUser(sessionId, await getCoupledCookieHash(cookie));
+
+		if (result.invalidateSession) {
+			secretSessionId = crypto.randomUUID();
+			sessionId = await sha256(secretSessionId);
+
+			if (await collections.sessions.findOne({ sessionId })) {
+				throw new Error("Session ID collision");
+			}
+		}
+
 		return {
-			user: user ?? undefined,
+			user: result.user ?? undefined,
 			sessionId,
 			secretSessionId,
-			isAdmin: user?.isAdmin || adminTokenManager.isAdmin(sessionId),
+			isAdmin: result.user?.isAdmin || adminTokenManager.isAdmin(sessionId),
 		};
 	}
 

src/lib/types/Session.ts

@@ -10,4 +10,5 @@ export interface Session extends Timestamps {
 	ip?: string;
 	expiresAt: Date;
 	admin?: boolean;
+	coupledCookieHash?: string;
 }

src/routes/login/callback/updateUser.spec.ts

@@ -90,7 +90,7 @@ describe("login", () => {
 	it("should create default settings for new user", async () => {
 		await updateUser({ userData, locals, cookies: cookiesMock });
 
-		const user = await findUser(locals.sessionId);
+		const user = (await findUser(locals.sessionId)).user;
 
 		assert.exists(user);
 

src/routes/login/callback/updateUser.ts

@@ -1,4 +1,4 @@
-import { refreshSessionCookie } from "$lib/server/auth";
+import { getCoupledCookieHash, refreshSessionCookie } from "$lib/server/auth";
 import { collections } from "$lib/server/database";
 import { ObjectId } from "mongodb";
 import { DEFAULT_SETTINGS } from "$lib/types/Settings";
@@ -119,6 +119,9 @@ export async function updateUser(params: {
 
 	locals.sessionId = sessionId;
 
+	// Get cookie hash if coupling is enabled
+	const coupledCookieHash = await getCoupledCookieHash({ type: "svelte", value: cookies });
+
 	if (existingUser) {
 		// update existing user if any
 		await collections.users.updateOne(
@@ -137,6 +140,7 @@ export async function updateUser(params: {
 			userAgent,
 			ip,
 			expiresAt: addWeeks(new Date(), 2),
+			...(coupledCookieHash ? { coupledCookieHash } : {}),
 		});
 	} else {
 		// user doesn't exist yet, create a new one
@@ -164,6 +168,7 @@ export async function updateUser(params: {
 			userAgent,
 			ip,
 			expiresAt: addWeeks(new Date(), 2),
+			...(coupledCookieHash ? { coupledCookieHash } : {}),
 		});
 
 		// move pre-existing settings to new user