Improve session init and timeout handling

bbbeasy-backend/app/config/access.ini

@@ -48,16 +48,11 @@ allow GET  @settings_collect            = *
 
 allow PUT    @recording_publish        = *
 allow POST @settings_save_logo          = *
-
 
- 
- 
+; initial user session loading
+allow GET  @users_init   = *
 
 allow GET  @file               = *
 
 ; notification routes
 allow GET @warning_notification = *
-
-
-
-

bbbeasy-backend/app/config/routes.ini

@@ -59,10 +59,10 @@ GET @roles_permissions_collect : /api/roles-permissions = Actions\RolesPermissio
 
 ; users routes
 GET     @users_index    : /api/users                 = Actions\Users\Index->show
+GET     @users_init     : /api/users/session         = Actions\Users\Session->execute
 POST    @users_add      : /api/users                 = Actions\Users\Add->save
 PUT     @users_edit     : /api/users/@id             = Actions\Users\Edit->save
 DELETE  @user_delete    : /api/users/@id             = Actions\Users\Delete->execute
-
 ; presets routes
 GET     @presets_index              : /api/presets/@user_id             = Actions\Presets\Index->show
 POST    @presets_add                : /api/presets                      = Actions\Presets\Add->save

bbbeasy-backend/app/src/Actions/Account/ChangePassword.php

@@ -96,7 +96,7 @@ private function changePassword($user, $password, $resetToken, $errorMessage): v
     {
         try {
             $user->password = $password;
-            $user->status = UserStatus::ACTIVE;
+            $user->status   = UserStatus::ACTIVE;
             $resetToken->save();
             $user->save();
         } catch (\Exception $e) {

bbbeasy-backend/app/src/Actions/Base.php

@@ -111,9 +111,17 @@ public function __construct()
 
     public function beforeroute(): void
     {
+        if ($this->session->isLoggedIn() && !$this->session->getSession(session_id())) {
+            $this->session->revokeUser();
+            $this->f3->error(401);
+
+            exit;
+        }
+
         $this->access->authorize($this->getRole(), function($route, $subject): void {
             $this->onAccessAuthorizeDeny($route, $subject);
         });
+
         if ($this->session->isLoggedIn() && $this->f3->get('ALIAS') === $this->f3->get('ALIASES.login')) {
             $this->f3->reroute($this->f3->get('ALIASES.home'));
         } elseif ('POST' === $this->f3->VERB && !$this->session->validateToken()) {
@@ -130,7 +138,10 @@ public function beforeroute(): void
     public function onAccessAuthorizeDeny($route, $subject): void
     {
         $this->logger->warning('Access denied to route ' . $route . ' for subject ' . ($subject ?: 'unknown'));
-        $this->f3->error(404);
+        if (!$this->session->isLoggedIn()) {
+            $this->f3->error(401);
+        }
+        $this->f3->error(403);
     }
 
     /**

bbbeasy-backend/app/src/Actions/Recordings/Publish.php

@@ -8,16 +8,16 @@
  * Copyright (c) 2022-2023 RIADVICE SUARL and by respective authors (see below).
  *
  * This program is free software; you can redistribute it and/or modify it under the
- * terms of the GNU Lesser General Public License as published by the Free Software
+ * terms of the GNU Affero General Public License as published by the Free Software
  * Foundation; either version 3.0 of the License, or (at your option) any later
  * version.
  *
- * BBBEasy is distributed in the hope that it will be useful, but WITHOUT ANY
+ * BBBeasy is distributed in the hope that it will be useful, but WITHOUT ANY
  * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
- * PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.
+ * PARTICULAR PURPOSE. See the GNU Affero General Public License for more details.
  *
- * You should have received a copy of the GNU Lesser General Public License along
- * with BBBEasy; if not, see <http://www.gnu.org/licenses/>.
+ * You should have received a copy of the GNU Affero General Public License along
+ * with BBBeasy. If not, see <https://www.gnu.org/licenses/>
  */
 
 namespace Actions\Recordings;

bbbeasy-backend/app/src/Actions/RequirePrivilegeTrait.php

@@ -22,6 +22,4 @@
 
 namespace Actions;
 
-trait RequirePrivilegeTrait
-{
-}
+trait RequirePrivilegeTrait {}

bbbeasy-backend/app/src/Actions/Roles/Edit.php

@@ -146,6 +146,9 @@ public function save($f3, $params): void
 
             try {
                 $role->save();
+                if ($roleId === $this->session->get('user.roleId')) {
+                    $this->session->set('user.role', $role->name);
+                }
             } catch (\Exception $e) {
                 $this->logger->error($errorMessage, ['error' => $e->getMessage()]);
                 $this->renderJson(['errors' => $e->getMessage()], ResponseCode::HTTP_INTERNAL_SERVER_ERROR);

bbbeasy-backend/app/src/Actions/Users/Session.php

@@ -0,0 +1,58 @@
+<?php
+
+/*
+ * BBBEasy open source platform - https://riadvice.tn/
+ *
+ * Copyright (c) 2022-2023 RIADVICE SUARL and by respective authors (see below).
+ *
+ * This program is free software; you can redistribute it and/or modify it under the
+ * terms of the GNU Affero General Public License as published by the Free Software
+ * Foundation; either version 3.0 of the License, or (at your option) any later
+ * version.
+ *
+ * BBBeasy is distributed in the hope that it will be useful, but WITHOUT ANY
+ * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+ * PARTICULAR PURPOSE. See the GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License along
+ * with BBBeasy. If not, see <https://www.gnu.org/licenses/>
+ */
+
+namespace Actions\Users;
+
+use Actions\Base as BaseAction;
+use Models\User;
+use Models\UserSession;
+
+class Session extends BaseAction
+{
+    public function execute($f3, $params)
+    {
+        $user    = new User();
+        $user_id = $this->session->get('user.id');
+
+        if (!$user_id) {
+            $this->session->revokeUser();
+
+            $this->f3->error(401);
+        }
+
+        $Infos = $user->getById($user_id);
+
+        $userInfos = [
+            'id'          => $Infos->id,
+            'username'    => $Infos->username,
+            'email'       => $Infos->email,
+            'role'        => $Infos->role->name,
+            'avatar'      => $Infos->avatar,
+            'permissions' => $Infos->role->getRolePermissions(),
+        ];
+        $userSession  = new UserSession();
+        $sessionInfos = [
+            'PHPSESSID' => session_id(),
+            'expires'   => $userSession->getSessionExpirationTime(session_id()),
+        ];
+
+        $this->renderJson(['user' => $userInfos, 'session' => $sessionInfos]);
+    }
+}

bbbeasy-backend/app/src/Core/Session.php

@@ -54,6 +54,7 @@ class Session extends \Prefab
      */
     public function __construct(SQL $db = null, $table = 'sessions', $force = false, $onsuspect = null, $key = null)
     {
+        $this->db = $db ?: \Registry::get('db');
         $this->f3 = \Base::instance();
         $this->initLogger();
         if ('CACHE' === $table) {
@@ -100,6 +101,17 @@ public function set($key, $value): void
         $this->f3->sync('SESSION');
     }
 
+    public function getSession($sessionId)
+    {
+        $result = $this->db->exec('SELECT expires FROM users_sessions where session_id = :session', [':session' => $sessionId]);
+
+        if (\count($result) < 1) {
+            return false;
+        }
+
+        return true;
+    }
+
     /**
      * @param mixed $key
      *

bbbeasy-backend/app/src/Models/User.php

@@ -116,11 +116,13 @@ public function usernameExists(string $username, $id = null): bool
     {
         return $this->load(['lower(username) = ? and  id != ?', mb_strtolower($username), $id]);
     }
-    public function getUsers($username,$email){
-        $data = [];
-        $users = $this->find(['username !=  ? and email != ? ', $username,  $email ]);
+
+    public function getUsers($username, $email)
+    {
+        $data  = [];
+        $users = $this->find(['username !=  ? and email != ? ', $username, $email]);
         if ($users) {
-            $data = $users->castAll(['username', 'email','password']);
+            $data = $users->castAll(['username', 'email', 'password']);
         }
 
         return $data;

bbbeasy-backend/app/src/Utils/PresetProcessor.php

@@ -33,12 +33,9 @@
 use Enum\Presets\LockSettings;
 use Enum\Presets\Presentation;
 use Enum\Presets\Recording;
-
-use Enum\Presets\Security;
-
 use Enum\Presets\Screenshare;
+use Enum\Presets\Security;
 use Enum\Presets\UserExperience;
-
 use Enum\Presets\Webcams;
 use Enum\Presets\Whiteboard;
 
@@ -80,10 +77,8 @@ public function toCreateMeetingParams($preset, $createParams)
         $presetsData->setData(BreakoutRooms::GROUP_NAME, BreakoutRooms::PRIVATE_CHAT, $preparePresetData[BreakoutRooms::GROUP_NAME][BreakoutRooms::PRIVATE_CHAT]);
 
         $presetsData->setData(General::GROUP_NAME, General::DURATION, $preparePresetData[General::GROUP_NAME][General::DURATION] ?: null);
-
 
         $presetsData->setData(General::GROUP_NAME, General::MAXIMUM_PARTICIPANTS, $preparePresetData[General::GROUP_NAME][General::MAXIMUM_PARTICIPANTS] ?: null);
-
 
         $presetsData->setData(General::GROUP_NAME, General::MAXIMUM_PARTICIPANTS, $preparePresetData[General::GROUP_NAME][General::MAXIMUM_PARTICIPANTS] ?: null);
         $presetsData->setData(General::GROUP_NAME, General::WELCOME, $preparePresetData[General::GROUP_NAME][General::WELCOME]);
@@ -104,14 +99,12 @@ public function toCreateMeetingParams($preset, $createParams)
         $presetsData->setData(Recording::GROUP_NAME, Recording::AUTO_START, $preparePresetData[Recording::GROUP_NAME][Recording::AUTO_START]);
         $presetsData->setData(Recording::GROUP_NAME, Recording::ALLOW_START_STOP, $preparePresetData[Recording::GROUP_NAME][Recording::ALLOW_START_STOP]);
         $presetsData->setData(Recording::GROUP_NAME, Recording::RECORD, $preparePresetData[Recording::GROUP_NAME][Recording::RECORD]);
-
 
         $presetsData->setData(Security::GROUP_NAME, Security::PASSWORD_FOR_MODERATOR, $preparePresetData[Security::GROUP_NAME][Security::PASSWORD_FOR_MODERATOR]);
         $presetsData->setData(Security::GROUP_NAME, Security::PASSWORD_FOR_ATTENDEE, $preparePresetData[Security::GROUP_NAME][Security::PASSWORD_FOR_ATTENDEE]);
 
-
         $presetsData->setData(Screenshare::GROUP_NAME, Screenshare::CONFIGURABLE, $preparePresetData[Screenshare::GROUP_NAME][Screenshare::CONFIGURABLE]);
- 
+
         $presetsData->setData(Webcams::GROUP_NAME, Webcams::VISIBLE_FOR_MODERATOR_ONLY, $preparePresetData[Webcams::GROUP_NAME][Webcams::VISIBLE_FOR_MODERATOR_ONLY]);
         $presetsData->setData(Webcams::GROUP_NAME, Webcams::MODERATOR_ALLOWED_CAMERA_EJECT, $preparePresetData[Webcams::GROUP_NAME][Webcams::MODERATOR_ALLOWED_CAMERA_EJECT]);
 

bbbeasy-backend/app/src/Utils/SecurityUtils.php

@@ -30,20 +30,18 @@ class SecurityUtils
 
     public static function credentialsAreCommon(string $username, string $email, string $password): string|null
     {
-        $user=new User();
+        $user = new User();
 
+        $users = $user->getUsers($username, $email);
 
-        $users=$user->getUsers($username,$email);
-
-        foreach ($users as $user1){
-            $user=$user->getByEmail($user1['email']);
-            if($user->verifyPassword($password)){
+        foreach ($users as $user1) {
+            $user = $user->getByEmail($user1['email']);
+            if ($user->verifyPassword($password)) {
                 return 'Avoid choosing a common password';
             }
         }
         // @fixme: to be cached, reload to cache if update time changed
 
-
         return null;
     }