add strip duplicate sesion middleware

server/apiServer.ts

@@ -21,6 +21,7 @@ import HttpCode from "./types/HttpCode";
 import requestTimeoutMiddleware from "./middlewares/requestTimeout";
 import { createStore } from "@server/lib/private/rateLimitStore";
 import hybridRouter from "@server/routers/private/hybrid";
+import { stripDuplicateSesions } from "./middlewares/stripDuplicateSessions";
 
 const dev = config.isDev;
 const externalPort = config.getRawConfig().server.external_port;
@@ -73,6 +74,7 @@ export function createApiServer() {
         apiServer.use(csrfProtectionMiddleware);
     }
 
+    apiServer.use(stripDuplicateSesions);
     apiServer.use(cookieParser());
     apiServer.use(express.json());
 

server/internalServer.ts

@@ -9,6 +9,7 @@ import {
     notFoundMiddleware
 } from "@server/middlewares";
 import internal from "@server/routers/internal";
+import { stripDuplicateSesions } from "./middlewares/stripDuplicateSessions";
 
 const internalPort = config.getRawConfig().server.internal_port;
 
@@ -17,6 +18,7 @@ export function createInternalServer() {
 
     internalServer.use(helmet());
     internalServer.use(cors());
+    internalServer.use(stripDuplicateSesions);
     internalServer.use(cookieParser());
     internalServer.use(express.json());
 

server/middlewares/stripDuplicateSessions.ts

@@ -0,0 +1,49 @@
+import { NextFunction, Response } from "express";
+import ErrorResponse from "@server/types/ErrorResponse";
+import {
+    SESSION_COOKIE_NAME,
+    validateSessionToken
+} from "@server/auth/sessions/app";
+
+export const stripDuplicateSesions = async (
+    req: any,
+    res: Response<ErrorResponse>,
+    next: NextFunction
+) => {
+    const cookieHeader: string | undefined = req.headers.cookie;
+    if (!cookieHeader) {
+        return next();
+    }
+
+    const cookies = cookieHeader.split(";").map((cookie) => cookie.trim());
+    const sessionCookies = cookies.filter((cookie) =>
+        cookie.startsWith(`${SESSION_COOKIE_NAME}=`)
+    );
+
+    const validSessions: string[] = [];
+    if (sessionCookies.length > 1) {
+        for (const cookie of sessionCookies) {
+            const cookieValue = cookie.split("=")[1];
+            const res = await validateSessionToken(cookieValue);
+            if (res.session && res.user) {
+                validSessions.push(cookieValue);
+            }
+        }
+
+        if (validSessions.length > 0) {
+            const newCookieHeader = cookies.filter((cookie) => {
+                if (cookie.startsWith(`${SESSION_COOKIE_NAME}=`)) {
+                    const cookieValue = cookie.split("=")[1];
+                    return validSessions.includes(cookieValue);
+                }
+                return true;
+            });
+            req.headers.cookie = newCookieHeader.join("; ");
+            if (req.cookies) {
+                req.cookies[SESSION_COOKIE_NAME] = validSessions[0];
+            }
+        }
+    }
+
+    return next();
+};

server/nextServer.ts

@@ -3,6 +3,7 @@ import express from "express";
 import { parse } from "url";
 import logger from "@server/logger";
 import config from "@server/lib/config";
+import { stripDuplicateSesions } from "./middlewares/stripDuplicateSessions";
 
 const nextPort = config.getRawConfig().server.next_port;
 
@@ -15,6 +16,8 @@ export async function createNextServer() {
 
     const nextServer = express();
 
+    nextServer.use(stripDuplicateSesions);
+
     nextServer.all("/{*splat}", (req, res) => {
         const parsedUrl = parse(req.url!, true);
         return handle(req, res, parsedUrl);