Implement new JWT auth

2025-12-06 03:49:40 +00:00 · 2025-06-29 17:22:58 -05:00 · 2025-06-29 17:22:58 -05:00 · 4f5123e842
commit 4f5123e842
parent e384863148
21 changed files with 739 additions and 56 deletions
--- a/server/models/ApiToken.js
+++ b/server/models/ApiToken.js
@ -0,0 +1,90 @@
+const { DataTypes, Model, Op } = require('sequelize')
+
+class ApiToken extends Model {
+  constructor(values, options) {
+    super(values, options)
+
+    /** @type {UUIDV4} */
+    this.id
+    /** @type {string} */
+    this.name
+    /** @type {string} */
+    this.tokenHash
+    /** @type {Date} */
+    this.expiresAt
+    /** @type {Date} */
+    this.lastUsedAt
+    /** @type {boolean} */
+    this.isActive
+    /** @type {Object} */
+    this.permissions
+    /** @type {Date} */
+    this.createdAt
+    /** @type {UUIDV4} */
+    this.userId
+
+    // Expanded properties
+
+    /** @type {import('./User').User} */
+    this.user
+  }
+
+  /**
+   * Clean up expired api tokens from the database
+   * @returns {Promise<number>} Number of api tokens deleted
+   */
+  static async cleanupExpiredApiTokens() {
+    const deletedCount = await ApiToken.destroy({
+      where: {
+        expiresAt: {
+          [Op.lt]: new Date()
+        }
+      }
+    })
+    return deletedCount
+  }
+
+  /**
+   * Initialize model
+   * @param {import('../Database').sequelize} sequelize
+   */
+  static init(sequelize) {
+    super.init(
+      {
+        id: {
+          type: DataTypes.UUID,
+          defaultValue: DataTypes.UUIDV4,
+          primaryKey: true
+        },
+        name: DataTypes.STRING,
+        tokenHash: {
+          type: DataTypes.STRING,
+          allowNull: false
+        },
+        expiresAt: DataTypes.DATE,
+        lastUsedAt: DataTypes.DATE,
+        isActive: {
+          type: DataTypes.BOOLEAN,
+          allowNull: false,
+          defaultValue: false
+        },
+        permissions: DataTypes.JSON
+      },
+      {
+        sequelize,
+        modelName: 'apiToken'
+      }
+    )
+
+    const { user } = sequelize.models
+    user.hasMany(ApiToken, {
+      onDelete: 'CASCADE',
+      foreignKey: {
+        allowNull: false
+      }
+    })
+    ApiToken.belongsTo(user)
+  }
+}
+
+module.exports = ApiToken
--- a/server/models/Session.js
+++ b/server/models/Session.js
@ -0,0 +1,88 @@
+const { DataTypes, Model, Op } = require('sequelize')
+
+class Session extends Model {
+  constructor(values, options) {
+    super(values, options)
+
+    /** @type {UUIDV4} */
+    this.id
+    /** @type {string} */
+    this.ipAddress
+    /** @type {string} */
+    this.userAgent
+    /** @type {Date} */
+    this.createdAt
+    /** @type {Date} */
+    this.updatedAt
+    /** @type {UUIDV4} */
+    this.userId
+    /** @type {Date} */
+    this.expiresAt
+
+    // Expanded properties
+
+    /** @type {import('./User').User} */
+    this.user
+  }
+
+  static async createSession(userId, ipAddress, userAgent, refreshToken, expiresAt) {
+    const session = await Session.create({ userId, ipAddress, userAgent, refreshToken, expiresAt })
+    return session
+  }
+
+  /**
+   * Clean up expired sessions from the database
+   * @returns {Promise<number>} Number of sessions deleted
+   */
+  static async cleanupExpiredSessions() {
+    const deletedCount = await Session.destroy({
+      where: {
+        expiresAt: {
+          [Op.lt]: new Date()
+        }
+      }
+    })
+    return deletedCount
+  }
+
+  /**
+   * Initialize model
+   * @param {import('../Database').sequelize} sequelize
+   */
+  static init(sequelize) {
+    super.init(
+      {
+        id: {
+          type: DataTypes.UUID,
+          defaultValue: DataTypes.UUIDV4,
+          primaryKey: true
+        },
+        ipAddress: DataTypes.STRING,
+        userAgent: DataTypes.STRING,
+        refreshToken: {
+          type: DataTypes.STRING,
+          allowNull: false
+        },
+        expiresAt: {
+          type: DataTypes.DATE,
+          allowNull: false
+        }
+      },
+      {
+        sequelize,
+        modelName: 'session'
+      }
+    )
+
+    const { user } = sequelize.models
+    user.hasMany(Session, {
+      onDelete: 'CASCADE',
+      foreignKey: {
+        allowNull: false
+      }
+    })
+    Session.belongsTo(user)
+  }
+}
+
+module.exports = Session
--- a/server/models/User.js
+++ b/server/models/User.js
@ -112,6 +112,10 @@ class User extends Model {
    this.updatedAt
    /** @type {import('./MediaProgress')[]?} - Only included when extended */
    this.mediaProgresses
+
+    // Temporary accessToken, not stored in database
+    /** @type {string} */
+    this.accessToken
  }

  // Excludes "root" since their can only be 1 root user
@ -520,7 +524,9 @@ class User extends Model {
      username: this.username,
      email: this.email,
      type: this.type,
+      // TODO: Old non-expiring token
      token: this.type === 'root' && hideRootToken ? '' : this.token,
+      accessToken: this.accessToken || null,
      mediaProgress: this.mediaProgresses?.map((mp) => mp.getOldMediaProgress()) || [],
      seriesHideFromContinueListening: [...seriesHideFromContinueListening],
      bookmarks: this.bookmarks?.map((b) => ({ ...b })) || [],