Refresh the userCtx expiry when getting session

This keeps pushing the userCtx expiry date a year ahead so it's
unlikely to ever expire in normal usage conditions. If this cookie
expires then the user is redirected to the login page despite
having a valid CouchDB session and AuthSession cookie.

#6583

(cherry picked from commit e5ba490)

Author: garethbowen

api/src/controllers/login.js

@@ -8,11 +8,8 @@ const fs = require('fs'),
   environment = require('../environment'),
   config = require('../config'),
   cookie = require('../services/cookie'),
-  SESSION_COOKIE_RE = /AuthSession=([^;]*);/,
-  ONE_YEAR = 31536000000,
   logger = require('../logger'),
-  db = require('../db'),
-  production = process.env.NODE_ENV === 'production';
+  db = require('../db');
 
 let loginTemplate;
 
@@ -89,30 +86,8 @@ const createSession = req => {
   });
 };
 
-const getCookieOptions = () => {
-  return {
-    sameSite: 'lax', // prevents the browser from sending this cookie along with some cross-site requests
-    secure: production, // only transmit when requesting via https unless in development mode
-  };
-};
-
-const setSessionCookie = (res, cookie) => {
-  const sessionId = SESSION_COOKIE_RE.exec(cookie)[1];
-  const options = getCookieOptions();
-  options.httpOnly = true; // don't allow javascript access to stop xss
-  res.cookie('AuthSession', sessionId, options);
-};
-
 const setUserCtxCookie = (res, userCtx) => {
-  const options = getCookieOptions();
-  options.maxAge = ONE_YEAR;
-  res.cookie('userCtx', JSON.stringify(userCtx), options);
-};
-
-const setLocaleCookie = (res, locale) => {
-  const options = getCookieOptions();
-  options.maxAge = ONE_YEAR;
-  res.cookie('locale', locale, options);
+  cookie.setUserCtx(res, JSON.stringify(userCtx));
 };
 
 const getRedirectUrl = userCtx => {
@@ -136,13 +111,13 @@ const setCookies = (req, res, sessionRes) => {
   return auth
     .getUserCtx(options)
     .then(userCtx => {
-      setSessionCookie(res, sessionCookie);
+      cookie.setSession(res, sessionCookie);
       setUserCtxCookie(res, userCtx);
       // Delete login=force cookie
       res.clearCookie('login');
       return auth.getUserSettings(userCtx).then(({ language }={}) => {
         if (language) {
-          setLocaleCookie(res, language);
+          cookie.setLocale(res, language);
         }
         res.status(302).send(getRedirectUrl(userCtx));
       });

api/src/routing.js

@@ -35,6 +35,7 @@ const _ = require('underscore'),
   authorization = require('./middleware/authorization'),
   createUserDb = require('./controllers/create-user-db'),
   purgedDocsController = require('./controllers/purged-docs'),
+  cookie = require('./services/cookie'),
   staticResources = /\/(templates|static)\//,
   // CouchDB is very relaxed in matching routes
   routePrefix = '/+' + environment.db + '/+',
@@ -247,6 +248,16 @@ ONLINE_ONLY_ENDPOINTS.forEach(url =>
   app.all(routePrefix + url, authorization.offlineUserFirewall)
 );
 
+// allow anyone to access their session
+app.all('/_session', function(req, res) {
+  const given = cookie.get(req, 'userCtx');
+  if (given) {
+    // update the expiry date on the cookie to keep it fresh
+    cookie.setUserCtx(res, decodeURIComponent(given));
+  }
+  proxy.web(req, res);
+});
+
 var UNAUDITED_ENDPOINTS = [
   // This takes arbitrary JSON, not whole documents with `_id`s, so it's not
   // auditable in our current framework
@@ -262,8 +273,6 @@ var UNAUDITED_ENDPOINTS = [
   // Interacting with mongo filters uses POST
   routePrefix + '_find',
   routePrefix + '_explain',
-  // allow anyone to access their _session information
-  '/_session',
 ];
 
 UNAUDITED_ENDPOINTS.forEach(function(url) {

api/src/services/cookie.js

@@ -1,3 +1,14 @@
+const production = process.env.NODE_ENV === 'production';
+const ONE_YEAR = 31536000000;
+const SESSION_COOKIE_RE = /AuthSession=([^;]*);/;
+
+const getCookieOptions = () => {
+  return {
+    sameSite: 'lax', // prevents the browser from sending this cookie along with some cross-site requests
+    secure: production, // only transmit when requesting via https unless in development mode
+  };
+};
+
 module.exports = {
   get: (req, name) => {
     const cookies = req.headers && req.headers.cookie;
@@ -7,5 +18,21 @@ module.exports = {
     const prefix = name + '=';
     const cookie = cookies.split(';').find(cookie => cookie.trim().startsWith(prefix));
     return cookie && cookie.trim().substring(prefix.length);
+  },
+  setUserCtx: (res, content) => {
+    const options = getCookieOptions();
+    options.maxAge = ONE_YEAR;
+    res.cookie('userCtx', content, options);
+  },
+  setSession: (res, cookie) => {
+    const sessionId = SESSION_COOKIE_RE.exec(cookie)[1];
+    const options = getCookieOptions();
+    options.httpOnly = true; // don't allow javascript access to stop xss
+    res.cookie('AuthSession', sessionId, options);
+  },
+  setLocale: (res, locale) => {
+    const options = getCookieOptions();
+    options.maxAge = ONE_YEAR;
+    res.cookie('locale', locale, options);
   }
 };

tests/e2e/api/routing.js

@@ -1,4 +1,5 @@
 const _ = require('underscore'),
+  moment = require('moment'),
   utils = require('../../utils'),
   constants = require('../../constants');
 
@@ -632,10 +633,78 @@ describe('routing', () => {
     });
   });
 
+  describe('_session endpoint', () => {
+
+    it('logs the user in', () => {
+
+      const username = 'offline';
+      const now = moment.utc();
+      const userCtxCookie = {
+        name: username,
+        roles: [ 'chw' ]
+      };
+
+      const createSession = () => {
+        return utils.request({
+          resolveWithFullResponse: true,
+          json: true,
+          path: '/_session',
+          method: 'POST',
+          headers: { 'Content-Type': 'application/json' },
+          body: { name: username, password },
+          username,
+          password
+        });
+      };
+
+      const getSession = sessionCookie => {
+        return utils.request({
+          resolveWithFullResponse: true,
+          path: '/_session',
+          method: 'GET',
+          headers: {
+            Cookie: `locale=en; ${sessionCookie}; userCtx=${JSON.stringify(userCtxCookie)}`,
+          },
+          noAuth: true
+        });
+      };
+
+      return createSession()
+        .then(res => {
+          expect(res.statusCode).toEqual(200);
+          expect(res.headers['set-cookie'].length).toEqual(1);
+          const sessionCookie = res.headers['set-cookie'][0].split(';')[0];
+          expect(sessionCookie.split('=')[0]).toEqual('AuthSession');
+          return sessionCookie;
+        })
+        .then(sessionCookie => getSession(sessionCookie))
+        .then(res => {
+          expect(res.statusCode).toEqual(200);
+          expect(res.headers['set-cookie'].length).toEqual(1);
+          const [ content, age, path, expires, samesite ] = res.headers['set-cookie'][0].split('; ');
+
+          // check the cookie content is unchanged
+          const [ contentKey, contentValue ] = content.split('=');
+          expect(contentKey).toEqual('userCtx');
+          expect(decodeURIComponent(contentValue)).toEqual(JSON.stringify(userCtxCookie));
+
+          // check the expiry date is around a year away
+          const expiryValue = expires.split('=')[1];
+          const expiryDate = moment.utc(expiryValue).add(1, 'hour'); // add a small margin of error
+          expect(expiryDate.diff(now, 'months')).toEqual(12);
+
+          // check the other properties
+          expect(samesite).toEqual('SameSite=Lax');
+          expect(age).toEqual('Max-Age=31536000');
+          expect(path).toEqual('Path=/');
+        });
+    });
+  });
+
   describe('legacy endpoints', () => {
     afterEach(done => utils.revertSettings().then(done));
 
-    it('should still route to deprecate apiV0 settings endpoints', () => {
+    it('should still route to deprecated apiV0 settings endpoints', () => {
       let settings;
       return utils
         .updateSettings({}) // this test will update settings that we want successfully reverted afterwards