From c05e3822c41903c4421d2395382c1c96985173df Mon Sep 17 00:00:00 2001
From: isKonstantin <me@knst.su>
Date: Sun, 28 Jul 2024 21:41:16 +0300
Subject: [PATCH] Fixed sessions vulnerability, some improvements

---
 components/modal/user/sessions.vue | 43 +++++++++++++++++++-----------
 lang/en-US.json                    | 11 ++++++++
 lang/ru-RU.json                    | 12 +++++++++
 libs/api/sessions/SessionsApi.ts   |  2 +-
 package.json                       |  2 +-
 5 files changed, 52 insertions(+), 18 deletions(-)

diff --git a/components/modal/user/sessions.vue b/components/modal/user/sessions.vue
index a60e7be..278eece 100644
--- a/components/modal/user/sessions.vue
+++ b/components/modal/user/sessions.vue
@@ -11,25 +11,30 @@
       <table class="table table-xs mt-4">
         <thead>
         <tr>
-          <th>Created</th>
-          <th>Expires</th>
-          <th>Token</th>
-          <th>Description</th>
-          <th class="text-right">Action</th>
-          <th></th>
+          <th>{{ $t('modals.sessions.table.created') }}</th>
+          <th>{{ $t('modals.sessions.table.expires') }}</th>
+          <th>{{ $t('modals.sessions.table.meta') }}</th>
+          <th>{{ $t('modals.sessions.table.description') }}</th>
+          <th class="text-right">{{ $t('modals.sessions.table.action') }}</th>
         </tr>
         </thead>
         <tbody>
-        <tr v-for="session in sessions">
+        <tr v-for="session in sessionsData.sessions" :class="{'bg-base-200' : session.sessionId === sessionsData.currentId}">
           <td class="w-36">{{ new Date(session.createdAt).toLocaleString(locale, {year: 'numeric', month: 'numeric', day: 'numeric', hour: '2-digit', minute: '2-digit'}) }}</td>
           <td class="w-36">{{ new Date(session.expiresAt).toLocaleString(locale, {year: 'numeric', month: 'numeric', day: 'numeric', hour: '2-digit', minute: '2-digit'}) }}</td>
-          <td><p class="w-24 sm:w-56 overflow-hidden overflow-ellipsis"> {{ session.token }} </p></td>
-          <td><p>{{ session.description }}</p></td>
-          <td class="text-right">
-            <buttons-copy-button @click="copyToClipboard(session.token)" class="btn btn-ghost btn-xs"/>
+          <td>
+            <div class="flex gap-2 w-fit">
+              <div class="badge badge-primary badge-outline" v-if="session.sessionId === sessionsData.currentId">
+                {{ $t('modals.sessions.badges.current') }}
+              </div>
+              <div class="badge badge-warning badge-outline" v-if="session.limited">
+                {{ $t('modals.sessions.badges.limited') }}
+              </div>
+            </div>
           </td>
+          <td><p>{{ session.description }}</p></td>
           <td class="text-right w-1 p-1">
-            <buttons-delete-button @click="deleteSession(session)" v-if="session.token !== currentSessionToken" class="btn btn-ghost btn-xs"/>
+            <buttons-delete-button @click="deleteSession(session)" class="btn btn-ghost btn-xs"/>
           </td>
         </tr>
         </tbody>
@@ -68,19 +73,18 @@ const props = defineProps({
 
 const { t, locale } = useI18n();
 
-const {$serverConfigs, $auth, $sessionsApi, $toastsManager } = useNuxtApp();
+const {$serverConfigs, $sessionsApi, $auth, $toastsManager } = useNuxtApp();
 
 const configs = $serverConfigs.configs.users;
 
 const emit = defineEmits(['close'])
 
-const sessions = ref([]);
-const currentSessionToken = $auth.state().token;
+const sessionsData = ref([]);
 
 const newSessionDescription = ref();
 
 const fetchSessions = async () => {
-  sessions.value = await $sessionsApi.getSessions();
+  sessionsData.value = await $sessionsApi.getSessions();
 }
 
 watch(() => props.opened, async () => {
@@ -95,6 +99,7 @@ const close = () => {
 const newSession = () => {
   $sessionsApi.newSession(configs.userSessionsLifetimeDays, newSessionDescription.value.length > 0 ? newSessionDescription.value : null).then((s) => {
     if (s) {
+      copyToClipboard(s);
       $toastsManager.pushToast(t("modals.sessions.messages.successCreate"), 2500, "success");
       fetchSessions();
     }else {
@@ -105,6 +110,12 @@ const newSession = () => {
 
 const deleteSession = (session) => {
   $sessionsApi.deleteSession(session.sessionId).then((s) => {
+    if (s && session.sessionId === sessionsData.value.currentId) {
+      $auth.logout(true);
+
+      return;
+    }
+
     if (s) {
       $toastsManager.pushToast(t("modals.sessions.messages.successDelete"), 2500, "success");
       fetchSessions();
diff --git a/lang/en-US.json b/lang/en-US.json
index d081c49..7ab41d2 100644
--- a/lang/en-US.json
+++ b/lang/en-US.json
@@ -461,6 +461,17 @@
       "placeholders": {
         "description": "Description"
       },
+      "table": {
+        "created": "Created",
+        "expires": "Expires",
+        "meta": "Meta",
+        "description": "Description",
+        "action": "Action"
+      },
+      "badges": {
+        "current": "Current",
+        "limited": "Limited"
+      },
       "messages": {
         "successCreate": "Session created",
         "errorCreate": "Oops, failed to create session",
diff --git a/lang/ru-RU.json b/lang/ru-RU.json
index 9ffbb1f..071b207 100644
--- a/lang/ru-RU.json
+++ b/lang/ru-RU.json
@@ -463,6 +463,18 @@
       "placeholders": {
         "description": "Описание"
       },
+      "table": {
+        "created": "Создан",
+        "expires": "Истекает",
+        "meta": "Мета",
+        "description": "Описание",
+        "action": "Действие"
+      },
+      "badges": {
+        "current": "Текущий",
+        "limited": "Ограниченный"
+      },
+
       "messages": {
         "successCreate": "Сеанс создан",
         "errorCreate": "Ошибка создания сеанса",
diff --git a/libs/api/sessions/SessionsApi.ts b/libs/api/sessions/SessionsApi.ts
index 602f235..62742eb 100644
--- a/libs/api/sessions/SessionsApi.ts
+++ b/libs/api/sessions/SessionsApi.ts
@@ -18,7 +18,7 @@ export class SessionsApi extends AbstractApi {
             return false;
         }
 
-        return data.value?.sessions;
+        return data.value;
     }
 
     public async newSession(lifetimeDays: number, description: string | null): Promise<any> {
diff --git a/package.json b/package.json
index d47ad8a..20ef78e 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "finwave",
-  "version": "0.15.0",
+  "version": "0.16.0",
   "private": true,
   "scripts": {
     "build": "nuxt build",