🔒 fix: resolve session persistence post password reset (#5077)

* ✨ feat: Implement session management with CRUD operations and integrate into user workflows * ✨ refactor: Update session model import paths and enhance session creation logic in AuthService * ✨ refactor: Validate session and user ID formats in session management functions * ✨ style: Enhance UI components with improved styling and accessibility features * chore: Update login form tests to use getByTestId instead of getByRole, remove console.log() * chore: Update login form tests to use getByTestId instead of getByRole --------- Co-authored-by: Danny Avila <danny@librechat.ai>
2025-12-18 01:10:14 +01:00 · 2024-12-23 11:12:07 +01:00 · 2024-12-23 11:12:07 +01:00 · bdb222d5f4
commit bdb222d5f4
parent 9bca2ae953
17 changed files with 402 additions and 116 deletions
--- a/api/server/controllers/AuthController.js
+++ b/api/server/controllers/AuthController.js
@ -6,8 +6,8 @@ const {
  setAuthTokens,
  requestPasswordReset,
 } = require('~/server/services/AuthService');
+const { findSession, getUserById, deleteAllUserSessions } = require('~/models');
 const { hashToken } = require('~/server/utils/crypto');
-const { Session, getUserById } = require('~/models');
 const { logger } = require('~/config');

 const registrationController = async (req, res) => {
@ -45,6 +45,7 @@ const resetPasswordController = async (req, res) => {
    if (resetPasswordService instanceof Error) {
      return res.status(400).json(resetPasswordService);
    } else {
+      await deleteAllUserSessions({ userId: req.body.userId });
      return res.status(200).json(resetPasswordService);
    }
  } catch (e) {
@ -77,7 +78,7 @@ const refreshController = async (req, res) => {
    const hashedToken = await hashToken(refreshToken);

    // Find the session with the hashed refresh token
-    const session = await Session.findOne({ user: userId, refreshTokenHash: hashedToken });
+    const session = await findSession({ userId: userId, refreshToken: hashedToken });
    if (session && session.expiration > new Date()) {
      const token = await setAuthTokens(userId, res, session._id);
      res.status(200).send({ token, user });
--- a/api/server/controllers/UserController.js
+++ b/api/server/controllers/UserController.js
@ -1,5 +1,4 @@
 const {
-  Session,
  Balance,
  getFiles,
  deleteFiles,
@ -7,6 +6,7 @@ const {
  deletePresets,
  deleteMessages,
  deleteUserById,
+  deleteAllUserSessions,
 } = require('~/models');
 const User = require('~/models/User');
 const { updateUserPluginAuth, deleteUserPluginAuth } = require('~/server/services/PluginService');
@ -112,7 +112,7 @@ const deleteUserController = async (req, res) => {

  try {
    await deleteMessages({ user: user.id }); // delete user messages
-    await Session.deleteMany({ user: user.id }); // delete user sessions
+    await deleteAllUserSessions({ userId: user.id }); // delete user sessions
    await Transaction.deleteMany({ user: user.id }); // delete user transactions
    await deleteUserKey({ userId: user.id, all: true }); // delete user keys
    await Balance.deleteMany({ user: user._id }); // delete user balances
--- a/api/server/services/AuthService.js
+++ b/api/server/services/AuthService.js
@ -10,7 +10,15 @@ const {
  generateToken,
  deleteUserById,
 } = require('~/models/userMethods');
-const { createToken, findToken, deleteTokens, Session } = require('~/models');
+const {
+  createToken,
+  findToken,
+  deleteTokens,
+  findSession,
+  deleteSession,
+  createSession,
+  generateRefreshToken,
+} = require('~/models');
 const { isEnabled, checkEmailConfig, sendEmail } = require('~/server/utils');
 const { isEmailDomainAllowed } = require('~/server/services/domains');
 const { registerSchema } = require('~/strategies/validators');
@ -37,10 +45,11 @@ const logoutUser = async (userId, refreshToken) => {
    const hash = await hashToken(refreshToken);

    // Find the session with the matching user and refreshTokenHash
-    const session = await Session.findOne({ user: userId, refreshTokenHash: hash });
+    const session = await findSession({ userId: userId, refreshToken: hash });
+
    if (session) {
      try {
-        await Session.deleteOne({ _id: session._id });
+        await deleteSession({ sessionId: session._id });
      } catch (deleteErr) {
        logger.error('[logoutUser] Failed to delete session.', deleteErr);
        return { status: 500, message: 'Failed to delete session.' };
@ -330,18 +339,19 @@ const setAuthTokens = async (userId, res, sessionId = null) => {
    const token = await generateToken(user);

    let session;
+    let refreshToken;
    let refreshTokenExpires;
-    if (sessionId) {
-      session = await Session.findById(sessionId);
-      refreshTokenExpires = session.expiration.getTime();
-    } else {
-      session = new Session({ user: userId });
-      const { REFRESH_TOKEN_EXPIRY } = process.env ?? {};
-      const expires = eval(REFRESH_TOKEN_EXPIRY) ?? 1000 * 60 * 60 * 24 * 7;
-      refreshTokenExpires = Date.now() + expires;
-    }

-    const refreshToken = await session.generateRefreshToken();
+    if (sessionId) {
+      session = await findSession({ sessionId: sessionId });
+      refreshTokenExpires = session.expiration.getTime();
+      refreshToken = await generateRefreshToken(session);
+    } else {
+      const result = await createSession(userId);
+      session = result.session;
+      refreshToken = result.refreshToken;
+      refreshTokenExpires = session.expiration.getTime();
+    }

    res.cookie('refreshToken', refreshToken, {
      expires: new Date(refreshTokenExpires),