updated auth routes to use sessions and "httpOnly" cookies

2026-02-07 18:23:03 +00:00 · 2026-01-09 05:33:36 +00:00
parent 89b38a4aa3
commit f90ddc2e4c
6 changed files with 104 additions and 30 deletions
--- a/packages/backend/src/index.ts
+++ b/packages/backend/src/index.ts
@@ -1,10 +1,25 @@
-import { withAuth, withCors } from "./auth/middleware";
+import { withAuth, withCors, withCSRF } from "./auth/middleware";
 import { testDB } from "./db/client";
+import { cleanupExpiredSessions } from "./db/queries";
 import { routes } from "./routes";

 const DEV = process.argv.find((arg) => ["--dev", "--developer", "-d"].includes(arg.toLowerCase())) != null;
 const PORT = process.argv.find((arg) => arg.toLowerCase().startsWith("--port="))?.split("=")[1] || 0;

+const SESSION_CLEANUP_INTERVAL = 60 * 60 * 1000; // 1 hour in ms
+
+const startSessionCleanup = () => {
+    const cleanup = async () => {
+        const count = await cleanupExpiredSessions();
+        if (count > 0) {
+            console.log(`cleaned up ${count} expired sessions`);
+        }
+    };
+
+    cleanup();
+    setInterval(cleanup, SESSION_CLEANUP_INTERVAL);
+};
+
 const main = async () => {
    const server = Bun.serve({
        port: Number(PORT),
@@ -12,35 +27,39 @@ const main = async () => {
            "/": withCors(() => new Response(`title: eussi\ndev-mode: ${DEV}\nport: ${PORT}`)),
            "/health": withCors(() => new Response("OK")),

+            // routes that modify state require withCSRF middleware
            "/auth/register": withCors(routes.authRegister),
            "/auth/login": withCors(routes.authLogin),
+            "/auth/logout": withCors(withAuth(withCSRF(routes.authLogout))),
            "/auth/me": withCors(withAuth(routes.authMe)),

            "/user/by-username": withCors(withAuth(routes.userByUsername)),
-            "/user/update": withCors(withAuth(routes.userUpdate)),
-            "/user/upload-avatar": withCors(routes.userUploadAvatar),
+            "/user/update": withCors(withAuth(withCSRF(routes.userUpdate))),
+            "/user/upload-avatar": withCors(withAuth(withCSRF(routes.userUploadAvatar))),

-            "/issue/create": withCors(withAuth(routes.issueCreate)),
-            "/issue/update": withCors(withAuth(routes.issueUpdate)),
-            "/issue/delete": withCors(withAuth(routes.issueDelete)),
+            "/issue/create": withCors(withAuth(withCSRF(routes.issueCreate))),
+            "/issue/update": withCors(withAuth(withCSRF(routes.issueUpdate))),
+            "/issue/delete": withCors(withAuth(withCSRF(routes.issueDelete))),

            "/issues/by-project": withCors(withAuth(routes.issuesByProject)),
            "/issues/all": withCors(withAuth(routes.issues)),

-            "/organisation/create": withCors(withAuth(routes.organisationCreate)),
+            "/organisation/create": withCors(withAuth(withCSRF(routes.organisationCreate))),
            "/organisation/by-id": withCors(withAuth(routes.organisationById)),
-            "/organisation/update": withCors(withAuth(routes.organisationUpdate)),
-            "/organisation/delete": withCors(withAuth(routes.organisationDelete)),
-            "/organisation/add-member": withCors(withAuth(routes.organisationAddMember)),
+            "/organisation/update": withCors(withAuth(withCSRF(routes.organisationUpdate))),
+            "/organisation/delete": withCors(withAuth(withCSRF(routes.organisationDelete))),
+            "/organisation/add-member": withCors(withAuth(withCSRF(routes.organisationAddMember))),
            "/organisation/members": withCors(withAuth(routes.organisationMembers)),
-            "/organisation/remove-member": withCors(withAuth(routes.organisationRemoveMember)),
-            "/organisation/update-member-role": withCors(withAuth(routes.organisationUpdateMemberRole)),
+            "/organisation/remove-member": withCors(withAuth(withCSRF(routes.organisationRemoveMember))),
+            "/organisation/update-member-role": withCors(
+                withAuth(withCSRF(routes.organisationUpdateMemberRole)),
+            ),

            "/organisations/by-user": withCors(withAuth(routes.organisationsByUser)),

-            "/project/create": withCors(withAuth(routes.projectCreate)),
-            "/project/update": withCors(withAuth(routes.projectUpdate)),
-            "/project/delete": withCors(withAuth(routes.projectDelete)),
+            "/project/create": withCors(withAuth(withCSRF(routes.projectCreate))),
+            "/project/update": withCors(withAuth(withCSRF(routes.projectUpdate))),
+            "/project/delete": withCors(withAuth(withCSRF(routes.projectDelete))),
            "/project/with-creator": withCors(withAuth(routes.projectWithCreator)),

            "/projects/by-creator": withCors(withAuth(routes.projectsByCreator)),
@@ -52,6 +71,7 @@ const main = async () => {

    console.log(`eussi (issue server) listening on ${server.url}`);
    await testDB();
+    startSessionCleanup();
 };

 main();