From 11a31e5a6ddedee40ae57f07b715c8fc42ac7fbc Mon Sep 17 00:00:00 2001 From: Chamika J <75464293+chamikaJ@users.noreply.github.com> Date: Wed, 6 Aug 2025 10:47:33 +0530 Subject: [PATCH] feat(auth): improve session regeneration and response handling in login process - Enhanced session management by implementing session regeneration to prevent session fixation during login. - Added detailed logging for session regeneration, save operations, and response headers to aid in debugging. - Ensured the user is re-established in the new session and included session cookie details in the response for better traceability. --- .../src/controllers/auth-controller.ts | 81 +++++++++++++------ 1 file changed, 56 insertions(+), 25 deletions(-) diff --git a/worklenz-backend/src/controllers/auth-controller.ts b/worklenz-backend/src/controllers/auth-controller.ts index 2b36fd60..b5c8759c 100644 --- a/worklenz-backend/src/controllers/auth-controller.ts +++ b/worklenz-backend/src/controllers/auth-controller.ts @@ -249,34 +249,65 @@ export default class AuthController extends WorklenzControllerBase { }); } - console.log("=== LOGIN SUCCESSFUL ==="); - console.log("Session ID after login:", req.sessionID); - console.log("Session data after login:", req.session); - console.log("Is authenticated:", req.isAuthenticated()); - console.log("User in session:", req.user); - - // Add build version - user.build_v = FileConstants.getRelease(); - - console.log("Sending response..."); - console.log("Response headers before send:", res.getHeaders()); - - // Ensure session is saved before sending response - req.session.save((saveErr) => { - if (saveErr) { - console.log("Session save error:", saveErr); + // Regenerate session to prevent session fixation + const oldSessionId = req.sessionID; + req.session.regenerate((regenErr) => { + if (regenErr) { + console.log("Session regeneration error:", regenErr); } - console.log("Session saved, cookie header:", res.getHeader('set-cookie')); - return res.status(200).send({ - done: true, - message: "Login successful", - user, - authenticated: true, - sessionId: req.sessionID // Include for debugging + console.log("Session regenerated from:", oldSessionId, "to:", req.sessionID); + + // Re-establish the user in the new session + req.session.passport = { user: { id: user.id } }; + + console.log("=== LOGIN SUCCESSFUL ==="); + console.log("Session ID after login:", req.sessionID); + console.log("Session data after login:", req.session); + console.log("Is authenticated:", req.isAuthenticated()); + console.log("User in session:", req.user); + + // Add build version + user.build_v = FileConstants.getRelease(); + + console.log("Sending response..."); + console.log("Response headers before send:", res.getHeaders()); + + // Ensure session is saved and cookie is set + req.session.save((saveErr) => { + if (saveErr) { + console.log("Session save error:", saveErr); + return res.status(500).send({ + done: false, + message: "Session save failed", + body: null + }); + } + + // Force the session cookie to be sent + const sessionName = process.env.SESSION_NAME || 'connect.sid'; + const sessionCookie = req.sessionID; + + console.log("Session saved successfully"); + console.log("Session name:", sessionName); + console.log("Session ID to be sent:", sessionCookie); + + // The session middleware should automatically set the cookie + // But let's check if it's being set + console.log("Response headers after save:", res.getHeaders()); + console.log("Set-Cookie header:", res.getHeader('set-cookie')); + + return res.status(200).send({ + done: true, + message: "Login successful", + user, + authenticated: true, + sessionId: req.sessionID, // Include for debugging + sessionCookie: sessionName // Include cookie name for debugging + }); }); - }); - }); + }); // Close regenerate callback + }); // Close login callback })(req, res, next); }