feat: drop outdated session (#14373)

#### PR Dependency Tree


* **PR #14373** 👈

This tree was auto-generated by
[Charcoal](https://github.com/danerwilliams/charcoal)

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **New Features**
* Added client version tracking and validation to ensure application
compatibility across authentication flows and sessions.
* Enhanced OAuth authentication with improved version handling during
sign-in and refresh operations.

* **Bug Fixes**
* Improved payment callback URL handling with safer defaults for
redirect links.

* **Tests**
* Expanded test coverage for client version enforcement and session
management.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
This commit is contained in:
DarkSky
2026-02-05 21:35:36 +08:00
committed by GitHub
parent 161eb302fd
commit 944fab36ac
29 changed files with 845 additions and 125 deletions
@@ -5,7 +5,12 @@ import type { Request } from 'express';
import { nanoid } from 'nanoid';
import { z } from 'zod';
import { CaptchaVerificationFailed, Config, OnEvent } from '../../base';
import {
CaptchaVerificationFailed,
Config,
getRequestClientIp,
OnEvent,
} from '../../base';
import { ServerFeature, ServerService } from '../../core';
import { Models, TokenType } from '../../models';
import { verifyChallengeResponse } from '../../native';
@@ -133,7 +138,7 @@ export class CaptchaService {
} else {
const isTokenVerified = await this.verifyCaptchaToken(
credential.token,
req.headers['CF-Connecting-IP'] as string
getRequestClientIp(req)
);
if (!isTokenVerified) {
@@ -15,6 +15,7 @@ import type { Request, Response } from 'express';
import {
ActionForbidden,
Config,
getClientVersionFromRequest,
InvalidAuthState,
InvalidOauthCallbackState,
MissingOauthQueryParameter,
@@ -50,6 +51,7 @@ export class OAuthController {
@Post('/preflight')
@HttpCode(HttpStatus.OK)
async preflight(
@Req() req: Request,
@Body('provider') unknownProviderName?: keyof typeof OAuthProviderName,
@Body('redirect_uri') redirectUri?: string,
@Body('client') client?: string,
@@ -75,11 +77,13 @@ export class OAuthController {
throw new ActionForbidden();
}
const clientVersion = getClientVersionFromRequest(req);
const state = await this.oauth.saveOAuthState({
provider: providerName,
redirectUri,
client,
clientNonce,
clientVersion,
...(pkce
? {
pkce: {
@@ -220,7 +224,7 @@ export class OAuthController {
tokens
);
await this.auth.setCookies(req, res, user.id);
await this.auth.setCookies(req, res, user.id, state.clientVersion);
if (
state.provider === OAuthProviderName.Apple &&
@@ -13,6 +13,7 @@ export interface OAuthState {
redirectUri?: string;
client?: string;
clientNonce?: string;
clientVersion?: string;
provider: OAuthProviderName;
pkce?: OAuthPkceState;
token?: string;
@@ -87,7 +87,7 @@ export class SelfhostTeamSubscriptionManager extends SubscriptionManager {
return { allow_promotion_codes: true };
})();
let successUrl = this.url.link(params.successCallbackLink);
let successUrl = this.url.safeLink(params.successCallbackLink || '/');
// stripe only accept unescaped '{CHECKOUT_SESSION_ID}' as query
successUrl = this.url.addSimpleQuery(
successUrl,
@@ -204,7 +204,7 @@ export class UserSubscriptionManager extends SubscriptionManager {
],
...mode,
...discounts,
success_url: this.url.link(params.successCallbackLink),
success_url: this.url.safeLink(params.successCallbackLink || '/'),
});
}
@@ -120,7 +120,7 @@ export class WorkspaceSubscriptionManager extends SubscriptionManager {
},
},
...discounts,
success_url: this.url.link(params.successCallbackLink),
success_url: this.url.safeLink(params.successCallbackLink || '/'),
});
}