🔒 fix: resolve session persistence post password reset (#5077)

* ✨ feat: Implement session management with CRUD operations and integrate into user workflows * ✨ refactor: Update session model import paths and enhance session creation logic in AuthService * ✨ refactor: Validate session and user ID formats in session management functions * ✨ style: Enhance UI components with improved styling and accessibility features * chore: Update login form tests to use getByTestId instead of getByRole, remove console.log() * chore: Update login form tests to use getByTestId instead of getByRole --------- Co-authored-by: Danny Avila <danny@librechat.ai>
2025-09-22 06:00:56 +02:00 · 2024-12-23 11:12:07 +01:00 · 2024-12-23 11:12:07 +01:00 · bdb222d5f4
commit bdb222d5f4
parent 9bca2ae953
17 changed files with 402 additions and 116 deletions
--- a/api/server/services/AuthService.js
+++ b/api/server/services/AuthService.js
@ -10,7 +10,15 @@ const {
  generateToken,
  deleteUserById,
 } = require('~/models/userMethods');
-const { createToken, findToken, deleteTokens, Session } = require('~/models');
+const {
+  createToken,
+  findToken,
+  deleteTokens,
+  findSession,
+  deleteSession,
+  createSession,
+  generateRefreshToken,
+} = require('~/models');
 const { isEnabled, checkEmailConfig, sendEmail } = require('~/server/utils');
 const { isEmailDomainAllowed } = require('~/server/services/domains');
 const { registerSchema } = require('~/strategies/validators');
@ -37,10 +45,11 @@ const logoutUser = async (userId, refreshToken) => {
    const hash = await hashToken(refreshToken);

    // Find the session with the matching user and refreshTokenHash
-    const session = await Session.findOne({ user: userId, refreshTokenHash: hash });
+    const session = await findSession({ userId: userId, refreshToken: hash });
+
    if (session) {
      try {
-        await Session.deleteOne({ _id: session._id });
+        await deleteSession({ sessionId: session._id });
      } catch (deleteErr) {
        logger.error('[logoutUser] Failed to delete session.', deleteErr);
        return { status: 500, message: 'Failed to delete session.' };
@ -330,18 +339,19 @@ const setAuthTokens = async (userId, res, sessionId = null) => {
    const token = await generateToken(user);

    let session;
+    let refreshToken;
    let refreshTokenExpires;
-    if (sessionId) {
-      session = await Session.findById(sessionId);
-      refreshTokenExpires = session.expiration.getTime();
-    } else {
-      session = new Session({ user: userId });
-      const { REFRESH_TOKEN_EXPIRY } = process.env ?? {};
-      const expires = eval(REFRESH_TOKEN_EXPIRY) ?? 1000 * 60 * 60 * 24 * 7;
-      refreshTokenExpires = Date.now() + expires;
-    }

-    const refreshToken = await session.generateRefreshToken();
+    if (sessionId) {
+      session = await findSession({ sessionId: sessionId });
+      refreshTokenExpires = session.expiration.getTime();
+      refreshToken = await generateRefreshToken(session);
+    } else {
+      const result = await createSession(userId);
+      session = result.session;
+      refreshToken = result.refreshToken;
+      refreshTokenExpires = session.expiration.getTime();
+    }

    res.cookie('refreshToken', refreshToken, {
      expires: new Date(refreshTokenExpires),