overleaf/services/web/app/src/infrastructure/SessionStoreManager.js

const Metrics = require('metrics-sharelatex')
const logger = require('logger-sharelatex')

function computeValidationToken(req) {
  // this should be a deterministic function of the client-side sessionID,
  // prepended with a version number in case we want to change it later
  return 'v1:' + req.sessionID.slice(-4)
}

function checkValidationToken(req) {
  if (req.session) {
    const sessionToken = req.session.validationToken
    if (sessionToken) {
      const clientToken = computeValidationToken(req)
      // Reject invalid sessions. If you change the method for computing the
      // token (above) then you need to either check or ignore previous
      // versions of the token.
      if (sessionToken === clientToken) {
        Metrics.inc('security.session', 1, { status: 'ok' })
        return true
      } else {
        logger.error(
          {
            sessionToken: sessionToken,
            clientToken: clientToken
          },
          'session token validation failed'
        )
        Metrics.inc('security.session', 1, { status: 'error' })
        return false
      }
    } else {
      Metrics.inc('security.session', 1, { status: 'missing' })
    }
  }
  return true // fallback to allowing session
}

module.exports = {
  enableValidationToken(sessionStore) {
    // generate an identifier from the sessionID for every new session
    const originalGenerate = sessionStore.generate
    sessionStore.generate = function(req) {
      originalGenerate(req)
      // add the validation token as a property that cannot be overwritten
      Object.defineProperty(req.session, 'validationToken', {
        value: computeValidationToken(req),
        enumerable: true,
        writable: false
      })
      Metrics.inc('security.session', 1, { status: 'new' })
    }
  },

  validationMiddleware(req, res, next) {
    if (!checkValidationToken(req)) {
      // the session must exist for it to fail validation
      req.session.destroy(() => {
        return next(new Error('invalid session'))
      })
    } else {
      return next()
    }
  },

  hasValidationToken(req) {
    if (req && req.session && req.session.validationToken) {
      return true
    } else {
      return false
    }
  }
}
Merge pull request #2263 from overleaf/spd-revert-revert Revert "Revert "Merge pull request #2249" GitOrigin-RevId: 70b0da473e923a072aeca1cc146c82e460757747 2019-10-18 08:59:00 -04:00			`const Metrics = require('metrics-sharelatex')`
			`const logger = require('logger-sharelatex')`

			`function computeValidationToken(req) {`
			`// this should be a deterministic function of the client-side sessionID,`
			`// prepended with a version number in case we want to change it later`
			`return 'v1:' + req.sessionID.slice(-4)`
			`}`

Merge pull request #2271 from overleaf/bg-reject-invalid-sessions reject invalid sessions with middleware GitOrigin-RevId: 07ab8829cbed92bbcb90b2c5f2c9d049e05b77cd 2019-10-22 03:29:19 -04:00			`function checkValidationToken(req) {`
			`if (req.session) {`
			`const sessionToken = req.session.validationToken`
			`if (sessionToken) {`
			`const clientToken = computeValidationToken(req)`
			`// Reject invalid sessions. If you change the method for computing the`
			`// token (above) then you need to either check or ignore previous`
			`// versions of the token.`
			`if (sessionToken === clientToken) {`
			`Metrics.inc('security.session', 1, { status: 'ok' })`
			`return true`
			`} else {`
			`logger.error(`
			`{`
			`sessionToken: sessionToken,`
			`clientToken: clientToken`
			`},`
			`'session token validation failed'`
			`)`
			`Metrics.inc('security.session', 1, { status: 'error' })`
			`return false`
			`}`
			`} else {`
			`Metrics.inc('security.session', 1, { status: 'missing' })`
			`}`
			`}`
			`return true // fallback to allowing session`
			`}`

Merge pull request #2263 from overleaf/spd-revert-revert Revert "Revert "Merge pull request #2249" GitOrigin-RevId: 70b0da473e923a072aeca1cc146c82e460757747 2019-10-18 08:59:00 -04:00			`module.exports = {`
			`enableValidationToken(sessionStore) {`
			`// generate an identifier from the sessionID for every new session`
			`const originalGenerate = sessionStore.generate`
			`sessionStore.generate = function(req) {`
			`originalGenerate(req)`
			`// add the validation token as a property that cannot be overwritten`
			`Object.defineProperty(req.session, 'validationToken', {`
			`value: computeValidationToken(req),`
			`enumerable: true,`
			`writable: false`
			`})`
			`Metrics.inc('security.session', 1, { status: 'new' })`
			`}`
			`},`

Merge pull request #2271 from overleaf/bg-reject-invalid-sessions reject invalid sessions with middleware GitOrigin-RevId: 07ab8829cbed92bbcb90b2c5f2c9d049e05b77cd 2019-10-22 03:29:19 -04:00			`validationMiddleware(req, res, next) {`
			`if (!checkValidationToken(req)) {`
			`// the session must exist for it to fail validation`
			`req.session.destroy(() => {`
			`return next(new Error('invalid session'))`
			`})`
			`} else {`
			`return next()`
Merge pull request #2263 from overleaf/spd-revert-revert Revert "Revert "Merge pull request #2249" GitOrigin-RevId: 70b0da473e923a072aeca1cc146c82e460757747 2019-10-18 08:59:00 -04:00			`}`
Merge pull request #2276 from overleaf/bg-reject-invalid-sessions reject invalid sessions GitOrigin-RevId: 5dc59609d01d7ad9bc29f9bf18faee1165d10689 2019-10-22 05:08:49 -04:00			`},`

			`hasValidationToken(req) {`
			`if (req && req.session && req.session.validationToken) {`
			`return true`
			`} else {`
			`return false`
			`}`
Merge pull request #2263 from overleaf/spd-revert-revert Revert "Revert "Merge pull request #2249" GitOrigin-RevId: 70b0da473e923a072aeca1cc146c82e460757747 2019-10-18 08:59:00 -04:00			`}`
			`}`