fix: make use of sessions

sourabpramanik · sourabpramanik · commit 79b1a342ed15 · 2025-07-19T11:41:31.000+05:30
diff --git a/bun.lockb b/bun.lockb
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -89,6 +89,7 @@
     "@simplewebauthn/server": "^13.1.0",
     "jose": "6.0.8",
     "oauth4webapi": "^3.1.4",
-    "qs-esm": "7.0.2"
+    "qs-esm": "7.0.2",
+    "uuid": "11.1.0"
   }
 }
diff --git a/src/core/errors/apiErrors.ts b/src/core/errors/apiErrors.ts
@@ -105,3 +105,9 @@ export class MissingOrInvalidVerification extends AuthAPIError {
     )
   }
 }
+
+export class MissingCollection extends AuthAPIError {
+  constructor() {
+    super("Missing collection", ErrorKind.NotFound)
+  }
+}
diff --git a/src/core/protocols/oauth/oauth_authentication.ts b/src/core/protocols/oauth/oauth_authentication.ts
@@ -1,12 +1,17 @@
 import * as jose from "jose"
 import type { JsonObject, PayloadRequest, TypeWithID } from "payload"
 import { APP_COOKIE_SUFFIX } from "../../../constants.js"
-import { UserNotFoundAPIError } from "../../errors/apiErrors.js"
+import {
+  MissingCollection,
+  UserNotFoundAPIError,
+} from "../../errors/apiErrors.js"
 import {
   createSessionCookies,
   invalidateOAuthCookies,
 } from "../../utils/cookies.js"
 
+import { v4 as uuid } from "uuid"
+import { removeExpiredSessions } from "../../utils/session.js"
 export async function OAuthAuthentication(
   pluginType: string,
   collections: {
@@ -106,15 +111,49 @@ export async function OAuthAuthentication(
 
   let cookies: string[] = []
 
+  const collectionConfig = payload.config.collections.find(
+    (collection) => collection.slug === collections.usersCollection,
+  )
+  if (!collectionConfig) {
+    return new MissingCollection()
+  }
+
+  const sessionID = collectionConfig?.auth.useSessions ? uuid() : null
+
+  if (collectionConfig?.auth.useSessions) {
+    const now = new Date()
+    const tokenExpInMs = collectionConfig.auth.tokenExpiration * 1000
+    const expiresAt = new Date(now.getTime() + tokenExpInMs)
+    const session = { id: sessionID, createdAt: now, expiresAt }
+    if (!userRecord["sessions"]?.length) {
+      userRecord["sessions"] = [session]
+    } else {
+      userRecord.sessions = removeExpiredSessions(userRecord.sessions)
+      userRecord.sessions.push(session)
+    }
+    await payload.db.updateOne({
+      id: userRecord.id,
+      collection: collections.usersCollection,
+      data: userRecord,
+      req: request,
+      returning: false,
+    })
+  }
   const cookieName = useAdmin
     ? `${payload.config.cookiePrefix}-token`
     : `__${pluginType}-${APP_COOKIE_SUFFIX}`
   cookies = [
-    ...(await createSessionCookies(cookieName, secret, {
-      id: userRecord.id,
-      email: email,
-      collection: collections.usersCollection,
-    })),
+    ...(await createSessionCookies(
+      cookieName,
+      secret,
+      {
+        id: userRecord.id,
+        email: email,
+        sid: sessionID,
+        collection: collections.usersCollection,
+      },
+      useAdmin ? collectionConfig?.auth.tokenExpiration : undefined,
+    )),
   ]
   cookies = invalidateOAuthCookies(cookies)
   const successRedirectionURL = new URL(
diff --git a/src/core/protocols/password.ts b/src/core/protocols/password.ts
@@ -3,6 +3,7 @@ import {
   EmailAlreadyExistError,
   InvalidCredentials,
   InvalidRequestBodyError,
+  MissingCollection,
   MissingOrInvalidVerification,
   UnauthorizedAPIRequest,
   UserNotFoundAPIError,
@@ -16,17 +17,27 @@ import {
   invalidateOAuthCookies,
   verifySessionCookie,
 } from "../utils/cookies.js"
+import { v4 as uuid } from "uuid"
+import { removeExpiredSessions } from "../utils/session.js"
 
 const redirectWithSession = async (
   cookieName: string,
   path: string,
   secret: string,
-  fields: Record<string, string | number>,
+  fields: Record<string, string | number | null>,
   request: PayloadRequest,
+  tokenExpiration?: number,
 ) => {
   let cookies = []
 
-  cookies = [...(await createSessionCookies(cookieName, secret, fields))]
+  cookies = [
+    ...(await createSessionCookies(
+      cookieName,
+      secret,
+      fields,
+      tokenExpiration,
+    )),
+  ]
   cookies = invalidateOAuthCookies(cookies)
   const successRedirectionURL = new URL(`${request.origin}${path}`)
   const res = new Response(null, {
@@ -91,12 +102,42 @@ export const PasswordSignin = async (
     return new InvalidCredentials()
   }
 
+  const collectionConfig = payload.config.collections.find(
+    (collection) => collection.slug === internal.usersCollectionSlug,
+  )
+  if (!collectionConfig) {
+    return new MissingCollection()
+  }
+
+  const sessionID = collectionConfig?.auth.useSessions ? uuid() : null
+
+  if (collectionConfig?.auth.useSessions) {
+    const now = new Date()
+    const tokenExpInMs = collectionConfig.auth.tokenExpiration * 1000
+    const expiresAt = new Date(now.getTime() + tokenExpInMs)
+    const session = { id: sessionID, createdAt: now, expiresAt }
+    if (!userRecord["sessions"]?.length) {
+      userRecord["sessions"] = [session]
+    } else {
+      userRecord.sessions = removeExpiredSessions(userRecord.sessions)
+      userRecord.sessions.push(session)
+    }
+    await payload.db.updateOne({
+      id: userRecord.id,
+      collection: internal.usersCollectionSlug,
+      data: userRecord,
+      req: request,
+      returning: false,
+    })
+  }
+
   const cookieName = useAdmin
     ? `${payload.config.cookiePrefix}-token`
     : `__${pluginType}-${APP_COOKIE_SUFFIX}`
   const signinFields = {
     id: userRecord.id,
     email,
+    sid: sessionID,
     collection: internal.usersCollectionSlug,
   }
   return await redirectWithSession(
@@ -105,6 +146,7 @@ export const PasswordSignin = async (
     secret,
     signinFields,
     request,
+    useAdmin ? collectionConfig.auth.tokenExpiration : undefined,
   )
 }
 
@@ -164,12 +206,42 @@ export const PasswordSignup = async (
   })
 
   if (body.allowAutoSignin) {
+    const collectionConfig = payload.config.collections.find(
+      (collection) => collection.slug === internal.usersCollectionSlug,
+    )
+    if (!collectionConfig) {
+      return new MissingCollection()
+    }
+
+    const sessionID = collectionConfig?.auth.useSessions ? uuid() : null
+
+    if (collectionConfig?.auth.useSessions) {
+      const now = new Date()
+      const tokenExpInMs = collectionConfig.auth.tokenExpiration * 1000
+      const expiresAt = new Date(now.getTime() + tokenExpInMs)
+      const session = { id: sessionID, createdAt: now, expiresAt }
+      if (!userRecord["sessions"]?.length) {
+        userRecord["sessions"] = [session]
+      } else {
+        userRecord.sessions = removeExpiredSessions(userRecord.sessions)
+        userRecord.sessions.push(session)
+      }
+      await payload.db.updateOne({
+        id: userRecord.id,
+        collection: internal.usersCollectionSlug,
+        data: userRecord,
+        req: request,
+        returning: false,
+      })
+    }
+
     const cookieName = useAdmin
       ? `${payload.config.cookiePrefix}-token`
       : `__${pluginType}-${APP_COOKIE_SUFFIX}`
     const signinFields = {
       id: userRecord.id,
       email,
+      sid: sessionID,
       collection: internal.usersCollectionSlug,
     }
     return await redirectWithSession(
@@ -178,6 +250,7 @@ export const PasswordSignup = async (
       secret,
       signinFields,
       request,
+      useAdmin ? collectionConfig.auth.tokenExpiration : undefined,
     )
   }
 
diff --git a/src/core/utils/cookies.ts b/src/core/utils/cookies.ts
@@ -5,14 +5,17 @@ export async function createSessionCookies(
   name: string,
   secret: string,
   fieldsToSign: Record<string, unknown>,
+  expiration?: number,
 ) {
-  const tokenExpiration = getCookieExpiration({
-    seconds: 7200,
-  })
+  const tokenExpiration =
+    expiration ??
+    getCookieExpiration({
+      seconds: 7200,
+    }).getTime()
 
   const secretKey = new TextEncoder().encode(secret)
   const issuedAt = Math.floor(Date.now() / 1000)
-  const exp = issuedAt + tokenExpiration.getTime()
+  const exp = issuedAt + tokenExpiration
   const token = await new jwt.SignJWT(fieldsToSign)
     .setProtectedHeader({ alg: "HS256", typ: "JWT" })
     .setIssuedAt(issuedAt)
@@ -21,7 +24,7 @@ export async function createSessionCookies(
 
   const cookies: string[] = []
   cookies.push(
-    `${name}=${token};Path=/;HttpOnly;Secure;SameSite=lax;Expires=${tokenExpiration.toUTCString()}`,
+    `${name}=${token};Path=/;HttpOnly;SameSite=lax;Expires=${getCookieExpiration({ seconds: expiration! }).toUTCString()}`,
   )
   return cookies
 }
diff --git a/src/types.ts b/src/types.ts
@@ -143,3 +143,9 @@ export type ProvidersConfig =
   | PasswordProviderConfig
 
 export type AuthenticationStrategy = "Cookie"
+
+export type UserSession = {
+  createdAt: Date | string
+  expiresAt: Date | string
+  id: string
+}

Original file line number	Diff line number	Diff line change
`@@ -89,6 +89,7 @@`
`89`	`89`	`"@simplewebauthn/server": "^13.1.0",`
`90`	`90`	`"jose": "6.0.8",`
`91`	`91`	`"oauth4webapi": "^3.1.4",`
`92`		`- "qs-esm": "7.0.2"`
	`92`	`+ "qs-esm": "7.0.2",`
	`93`	`+ "uuid": "11.1.0"`
`93`	`94`	`}`
`94`	`95`	`}`
Original file line number	Diff line number	Diff line change
`@@ -105,3 +105,9 @@ export class MissingOrInvalidVerification extends AuthAPIError {`
`105`	`105`	`)`
`106`	`106`	`}`
`107`	`107`	`}`
	`108`	`+`
	`109`	`+export class MissingCollection extends AuthAPIError {`
	`110`	`+ constructor() {`
	`111`	`+ super("Missing collection", ErrorKind.NotFound)`
	`112`	`+ }`
	`113`	`+}`