valknar/sexy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: enhance session security and freshness
All checks were successful
Build and Push Backend Image / build (push) Successful in 43s
Details
Build and Push Frontend Image / build (push) Successful in 4m15s
Details

Browse Source 
- Sliding expiration: reset 24h TTL on every Redis session access
- SameSite=Strict on login and logout cookies (was Lax)
- Secure flag on logout cookie in production (was missing)
- Re-fetch user from DB on every request in buildContext so role/avatar/
  admin changes take effect immediately without requiring re-login

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Sebastian Krüger
2026-03-07 11:10:01 +01:00
parent bff354094e
commit dcf2fbd3d4
3 changed files with 32 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
packages/backend/src/graphql/resolvers/auth.ts
View File

@@ -45,7 +45,7 @@ builder.mutationField("login", (t) =>
// Set session cookie
const isProduction = process.env.NODE_ENV === "production";
const cookieValue = `session_token=${token}; HttpOnly; Path=/; SameSite=Lax; Max-Age=86400${isProduction ? "; Secure" : ""}`;
const cookieValue = `session_token=${token}; HttpOnly; Path=/; SameSite=Strict; Max-Age=86400${isProduction ? "; Secure" : ""}`;
(ctx.reply as any).header?.("Set-Cookie", cookieValue);
// For graphql-yoga response
@@ -74,7 +74,8 @@ builder.mutationField("logout", (t) =>
await deleteSession(token);
}
// Clear cookie
const cookieValue = "session_token=; HttpOnly; Path=/; Max-Age=0";
const isProduction = process.env.NODE_ENV === "production";
const cookieValue = `session_token=; HttpOnly; Path=/; SameSite=Strict; Max-Age=0${isProduction ? "; Secure" : ""}`;
(ctx.reply as any).header?.("Set-Cookie", cookieValue);
return true;
},