groove/audiobookshelf
1
0
Fork 0
mirror of https://github.com/advplyr/audiobookshelf.git synced 2026-02-28 21:19:42 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 5

Allow rotation without grace period for invalidating all user sessions

Browse source
This commit is contained in:
Nicholas Wallace 2026-01-24 18:26:11 -07:00
parent e1ae4f2d31
commit b8a2d113f0
1 changed files with 13 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

20
server/auth/TokenManager.js
View file

@ -183,17 +183,23 @@ class TokenManager {
* @param {import('../models/User')} user
* @param {import('express').Request} req
* @param {import('express').Response} res
* @returns {Promise<{ accessToken:string, refreshToken:string }>}
* @param {boolean} noGracePeriod - whether to skip the grace period
*/
async rotateTokensForSession(session, user, req, res) {
async rotateTokensForSession(session, user, req, res, noGracePeriod = false) {
// Generate new tokens
const newAccessToken = this.generateTempAccessToken(user)
let newRefreshToken = this.generateRefreshToken(user)
// Set grace period of old refresh token in case of race condition in token rotation.
// This grace period may need to be longer if fetching the user data takes longer due to large progress objects
session.lastRefreshToken = session.refreshToken
session.lastRefreshTokenExpiresAt = new Date(Date.now() + 60 * 1000) // 1 minute grace period
if (noGracePeriod) {
// Set grace period of old refresh token in case of race condition in token rotation.
// This grace period may need to be longer if fetching the user data takes longer due to large progress objects
session.lastRefreshToken = session.refreshToken
session.lastRefreshTokenExpiresAt = new Date(Date.now() + 60 * 1000) // 1 minute grace period
} else {
// Do not set grace period of old refresh token, such as when specifically invalidating sessions for a user
session.lastRefreshToken = null
session.lastRefreshTokenExpiresAt = null
}
// Update the session with the new refresh token and expiration
session.refreshToken = newRefreshToken
@ -416,7 +422,7 @@ class TokenManager {
// So rotate token for current session
const currentSession = await Database.sessionModel.findOne({ where: { refreshToken: currentRefreshToken } })
if (currentSession) {
const newTokens = await this.rotateTokensForSession(currentSession, user, req, res)
const newTokens = await this.rotateTokensForSession(currentSession, user, req, res, true)
// Invalidate all sessions for the user except the current one
await Database.sessionModel.destroy({