fix(api): validate cookie session data

2025-12-31 13:39:52 -06:00 · 2025-01-10 11:01:37 -05:00
parent b9947108a4
commit fe98295496
3 changed files with 25 additions and 7 deletions
--- a/api/dev/sessions/sess_mock-user-session
+++ b/api/dev/sessions/sess_mock-user-session
@@ -0,0 +1 @@
+unraid_login|i:1736523078;unraid_user|s:4:"root";locale|s:0:"";buildDate|s:8:"20241202";
--- a/api/src/unraid-api/auth/cookie.service.spec.ts
+++ b/api/src/unraid-api/auth/cookie.service.spec.ts
@@ -1,7 +1,11 @@
-import { Test, type TestingModule } from '@nestjs/testing';
+import type { TestingModule } from '@nestjs/testing';
+import { Test } from '@nestjs/testing';
+import { writeFile } from 'node:fs/promises';
+
+import { emptyDir } from 'fs-extra';
+import { afterAll, beforeAll, describe, it } from 'vitest';
+
 import { CookieService, SESSION_COOKIE_CONFIG } from './cookie.service';
-import { describe, it, beforeAll, afterAll } from 'vitest';
-import { emptyDir, ensureFile } from 'fs-extra';

 describe.concurrent('CookieService', () => {
    let service: CookieService;
@@ -10,7 +14,11 @@ describe.concurrent('CookieService', () => {
    // helper to create a session file
    function makeSession(sessionId: string, cookieService: CookieService = service) {
        const path = cookieService.getSessionFilePath(sessionId);
-        return ensureFile(path);
+        return writeFile(
+            path,
+            `unraid_login|i:1736523078;unraid_user|s:4:"root";locale|s:0:"";buildDate|s:8:"20241202";`,
+            'ascii'
+        );
    }

    beforeAll(async () => {
--- a/api/src/unraid-api/auth/cookie.service.ts
+++ b/api/src/unraid-api/auth/cookie.service.ts
@@ -1,4 +1,5 @@
-import { Inject, Injectable } from '@nestjs/common';
+import { Inject, Injectable, Logger } from '@nestjs/common';
+import { readFile } from 'fs/promises';
 import { join } from 'path';

 import { fileExists } from '@app/core/utils/files/file-exists';
@@ -18,6 +19,7 @@ type SessionCookieConfig = {

@Injectable()
 export class CookieService {
+    private readonly logger = new Logger(CookieService.name);
    constructor(
        @Inject(SESSION_COOKIE_CONFIG) readonly opts: SessionCookieConfig = CookieService.defaultOpts()
    ) {}
@@ -60,10 +62,17 @@ export class CookieService {
     */
    private async isValidAuthCookie(cookieName: string, cookieValue: string): Promise<boolean> {
        const { namePrefix } = this.opts;
-        if (!cookieName.startsWith(namePrefix)) {
+        const sessionFile = this.getSessionFilePath(cookieValue);
+        if (!cookieName.startsWith(namePrefix) || !(await fileExists(sessionFile))) {
+            return false;
+        }
+        try {
+            const sessionData = await readFile(sessionFile, 'ascii');
+            return sessionData.includes('unraid_login') && sessionData.includes('unraid_user');
+        } catch (e) {
+            this.logger.error(e, 'Error reading session file');
            return false;
        }
-        return fileExists(this.getSessionFilePath(cookieValue));
    }

    /**
				`@@ -0,0 +1 @@`
				`unraid_login\|i:1736523078;unraid_user\|s:4:"root";locale\|s:0:"";buildDate\|s:8:"20241202";`