commit 2aabf30dac4e0a2088f5963eb87fd416cbf61fef · dunkirk.sh/thistle

+34

src/lib/auth.test.ts

···

       130
       130
        
       	};

     

       131
       131
        
       	expect(typeof result.count).toBe("number");

     

       132
       132
        
       });

     

       133
       133
       +
       

     

       134
       134
       +
       test("enforces maximum session limit per user", () => {

     

       135
       135
       +
       	const userId = 999;

     

       136
       136
       +
       

     

       137
       137
       +
       	// Clean up any existing sessions for this user

     

       138
       138
       +
       	db.run("DELETE FROM sessions WHERE user_id = ?", [userId]);

     

       139
       139
       +
       

     

       140
       140
       +
       	// Create 11 sessions (limit is 10)

     

       141
       141
       +
       	const sessionIds: string[] = [];

     

       142
       142
       +
       	for (let i = 0; i < 11; i++) {

     

       143
       143
       +
       		const sessionId = createSession(userId, `192.168.1.${i}`, `Agent ${i}`);

     

       144
       144
       +
       		sessionIds.push(sessionId);

     

       145
       145
       +
       	}

     

       146
       146
       +
       

     

       147
       147
       +
       	// Count total sessions for user

     

       148
       148
       +
       	const sessionCount = db

     

       149
       149
       +
       		.query<{ count: number }, [number]>(

     

       150
       150
       +
       			"SELECT COUNT(*) as count FROM sessions WHERE user_id = ?",

     

       151
       151
       +
       		)

     

       152
       152
       +
       		.get(userId);

     

       153
       153
       +
       

     

       154
       154
       +
       	expect(sessionCount?.count).toBe(10);

     

       155
       155
       +
       

     

       156
       156
       +
       	// First session should be deleted (oldest)

     

       157
       157
       +
       	const firstSession = getSession(sessionIds[0]);

     

       158
       158
       +
       	expect(firstSession).toBeNull();

     

       159
       159
       +
       

     

       160
       160
       +
       	// Last session should exist (newest)

     

       161
       161
       +
       	const lastSession = getSession(sessionIds[10]);

     

       162
       162
       +
       	expect(lastSession).not.toBeNull();

     

       163
       163
       +
       

     

       164
       164
       +
       	// Cleanup

     

       165
       165
       +
       	db.run("DELETE FROM sessions WHERE user_id = ?", [userId]);

     

       166
       166
       +
       });

+22

src/lib/auth.ts

···

       1
       1
        
       import db from "../db/schema";

     

       2
       2
        
       

     

       3
       3
        
       const SESSION_DURATION = 7 * 24 * 60 * 60; // 7 days in seconds

     

       4
       4
       +
       const MAX_SESSIONS_PER_USER = 10; // Maximum number of sessions per user

     

       4
       5
        
       

     

       5
       6
        
       export type UserRole = "user" | "admin";

     

       6
       7
        
       

     
···

       30
       31
        
       ): string {

     

       31
       32
        
       	const sessionId = crypto.randomUUID();

     

       32
       33
        
       	const expiresAt = Math.floor(Date.now() / 1000) + SESSION_DURATION;

     

       34
       34
       +
       

     

       35
       35
       +
       	// Check current session count for user

     

       36
       36
       +
       	const sessionCount = db

     

       37
       37
       +
       		.query<{ count: number }, [number]>(

     

       38
       38
       +
       			"SELECT COUNT(*) as count FROM sessions WHERE user_id = ?",

     

       39
       39
       +
       		)

     

       40
       40
       +
       		.get(userId);

     

       41
       41
       +
       

     

       42
       42
       +
       	// If at or over limit, delete oldest session(s)

     

       43
       43
       +
       	if (sessionCount && sessionCount.count >= MAX_SESSIONS_PER_USER) {

     

       44
       44
       +
       		const sessionsToDelete = sessionCount.count - MAX_SESSIONS_PER_USER + 1;

     

       45
       45
       +
       		db.run(

     

       46
       46
       +
       			`DELETE FROM sessions WHERE id IN (

     

       47
       47
       +
       				SELECT id FROM sessions 

     

       48
       48
       +
       				WHERE user_id = ? 

     

       49
       49
       +
       				ORDER BY created_at ASC 

     

       50
       50
       +
       				LIMIT ?

     

       51
       51
       +
       			)`,

     

       52
       52
       +
       			[userId, sessionsToDelete],

     

       53
       53
       +
       		);

     

       54
       54
       +
       	}

     

       33
       55
        
       

     

       34
       56
        
       	db.run(

     

       35
       57
        
       		"INSERT INTO sessions (id, user_id, ip_address, user_agent, expires_at) VALUES (?, ?, ?, ?, ?)",