do sessions in memory and also fix glaring security hole

2025-06-01 23:28:00 +02:00 · 2025-06-01 23:28:00 +02:00 · f48b421500
commit f48b421500
parent 7b6c155a73
31 changed files with 441 additions and 440 deletions
--- a/Femto.Api/Sessions/HttpContextSessionExtensions.cs
+++ b/Femto.Api/Sessions/HttpContextSessionExtensions.cs
@ -1,89 +1,102 @@
 using System.Text.Json;
-using System.Text.Json.Serialization;
 using Femto.Api.Auth;
 using Femto.Modules.Auth.Application.Dto;
+using Femto.Modules.Auth.Models;
 using Microsoft.Extensions.Options;

 namespace Femto.Api.Sessions;

+internal record SessionInfo(string? SessionId, Guid? UserId);
+
 internal static class HttpContextSessionExtensions
 {
-    public static void SetSession(this HttpContext httpContext, SessionDto sessionDto, UserInfo user, ILogger logger)
+    private static readonly JsonSerializerOptions JsonOptions = new()
    {
-        var cookieSettings = httpContext.RequestServices.GetService<IOptions<CookieSettings>>();
+        PropertyNamingPolicy = JsonNamingPolicy.CamelCase,
+    };
+
+    public static SessionInfo GetSessionInfo(this HttpContext httpContext)
+    {
+        var sessionId = httpContext.Request.Cookies["sid"];
        
-        var secure = cookieSettings?.Value.Secure ?? true;
-        var sameSite = cookieSettings?.Value.SameSite ?? SameSiteMode.Strict;
-        var domain = cookieSettings?.Value.Domain;
-        var expires = sessionDto.Expires;
+        var userJson = httpContext.Request.Cookies["user"];
+ 
+        UserInfo? user = null;
+        if (userJson is not null)
+        {
+            user = JsonSerializer.Deserialize<UserInfo>(userJson, JsonOptions);
+        }

-        logger.LogInformation(
-            "cookie settings: Secure={Secure}, SameSite={SameSite}, domain={Domain}, Expires={Expires}",
-            secure,
-            sameSite,
-            domain,
-            expires
-        );
+        return new SessionInfo(sessionId, user?.Id);
+    }

-        httpContext.Response.Cookies.Append(
-            "session",
-            sessionDto.SessionId,
+    public static void SetSession(this HttpContext context, Session session, UserInfo user)
+    {
+        var cookieSettings = context.RequestServices.GetRequiredService<
+            IOptions<CookieSettings>
+        >();
+
+        context.Response.Cookies.Append(
+            "sid",
+            session.Id,
            new CookieOptions
            {
+                Path = "/",
                IsEssential = true,
-                Domain = domain,
+                Domain = cookieSettings.Value.Domain,
                HttpOnly = true,
-                Secure = secure,
-                SameSite = sameSite,
-                Expires = expires,
+                Secure = cookieSettings.Value.Secure,
+                SameSite = cookieSettings.Value.SameSite,
+                Expires = session.Expires,
            }
        );

-        httpContext.Response.Cookies.Append(
+        context.Response.Cookies.Append(
            "user",
-            JsonSerializer.Serialize(
-                user,
-                new JsonSerializerOptions
-                {
-                    PropertyNamingPolicy = JsonNamingPolicy.CamelCase,
-                    Converters = { new JsonStringEnumConverter() },
-                }
-            ),
+            JsonSerializer.Serialize(user, JsonOptions),
            new CookieOptions
            {
-                Domain = domain,
+                Path = "/",
+                Domain = cookieSettings.Value.Domain,
                IsEssential = true,
-                Secure = secure,
-                SameSite = sameSite,
-                Expires = sessionDto.Expires,
+                Secure = cookieSettings.Value.Secure,
+                SameSite = cookieSettings.Value.SameSite,
+                Expires = session.Expires,
            }
        );
    }
-
+    
    public static void DeleteSession(this HttpContext httpContext)
    {
-        var cookieSettings = httpContext.RequestServices.GetService<IOptions<CookieSettings>>();
-        
-        var secure = cookieSettings?.Value.Secure ?? true;
-        var sameSite = secure ? SameSiteMode.None : SameSiteMode.Unspecified;
-        var domain = cookieSettings?.Value.Domain;
-        
-        httpContext.Response.Cookies.Delete("session", new CookieOptions
-        {
-            HttpOnly = true,
-            Domain = domain,
-            IsEssential = true,
-            Secure = secure,
-            SameSite = sameSite,
-            Expires = DateTimeOffset.UtcNow.AddDays(-1),
-        });
-        httpContext.Response.Cookies.Delete("user", new CookieOptions
-        {
-            Domain = domain,
-            IsEssential = true,
-            Secure = secure,
-            SameSite = sameSite,
-            Expires = DateTimeOffset.UtcNow.AddDays(-1),
-        });
+        var cookieSettings = httpContext.RequestServices.GetRequiredService<
+            IOptions<CookieSettings>
+        >();
+
+        httpContext.Response.Cookies.Delete(
+            "sid",
+            new CookieOptions
+            {
+                Path = "/",
+                HttpOnly = true,
+                Domain = cookieSettings.Value.Domain,
+                IsEssential = true,
+                Secure = cookieSettings.Value.Secure,
+                SameSite = cookieSettings.Value.SameSite,
+                Expires = DateTimeOffset.UtcNow.AddDays(-1),
+            }
+        );
+
+        httpContext.Response.Cookies.Delete(
+            "user",
+            new CookieOptions
+            {
+                Path = "/",
+                Domain = cookieSettings.Value.Domain,
+                IsEssential = true,
+                Secure = cookieSettings.Value.Secure,
+                SameSite = cookieSettings.Value.SameSite,
+                Expires = DateTimeOffset.UtcNow.AddDays(-1),
+            }
+        );
    }
 }