From 8484ae75c7fbe15c46e32f8008985df481d9d894 Mon Sep 17 00:00:00 2001
From: Brian Gough <briangough@users.noreply.github.com>
Date: Tue, 12 Mar 2024 17:15:37 +0000
Subject: [PATCH] Merge pull request #17537 from
 overleaf/bg-session-mitigation-log-session-size

Add custom session store to track largest session sizes for anonymous users

GitOrigin-RevId: 23312689d7adb8196e66bb925afcfef78c4c558d
---
 services/web/app/src/infrastructure/Server.js | 36 ++++++++++++++++++-
 1 file changed, 35 insertions(+), 1 deletion(-)

diff --git a/services/web/app/src/infrastructure/Server.js b/services/web/app/src/infrastructure/Server.js
index c2762d6c3a..f2d561946f 100644
--- a/services/web/app/src/infrastructure/Server.js
+++ b/services/web/app/src/infrastructure/Server.js
@@ -48,8 +48,42 @@ const STATIC_CACHE_AGE = Settings.cacheStaticAssets
   ? oneDayInMilliseconds * 365
   : 0
 
+// Define a custom session store to record the largest session sizes
+// seen for anonymous users
+class CustomSessionStore extends RedisStore {
+  static largestSessionSize = 2048 // ignore sessions smaller than 2KB
+
+  static trackAnonymousSessionSize(sess) {
+    const isLoggedIn = SessionManager.isUserLoggedIn(sess)
+    if (!isLoggedIn) {
+      const len = JSON.stringify(sess, (key, value) => {
+        if (key === 'hashedPassword' && value?.length > 0) {
+          return '*'.repeat(value.length)
+        }
+        return value
+      }).length
+      if (len > CustomSessionStore.largestSessionSize) {
+        CustomSessionStore.largestSessionSize = len
+        logger.warn({ sess, sessionSize: len }, 'largest session size seen')
+      }
+    }
+  }
+
+  set(sid, sess, cb) {
+    CustomSessionStore.trackAnonymousSessionSize(sess)
+    super.set(sid, sess, cb)
+  }
+
+  touch(sid, sess, cb) {
+    CustomSessionStore.trackAnonymousSessionSize(sess)
+    super.touch(sid, sess, cb)
+  }
+}
+
 // Init the session store
-const sessionStore = new RedisStore({ client: sessionsRedisClient })
+const sessionStore = new CustomSessionStore(
+  new RedisStore({ client: sessionsRedisClient })
+)
 
 const app = express()