fix: correctly handle expired JWE's in cookies

Author: frederikprijck

src/server/cookies.test.ts

@@ -31,9 +31,8 @@ describe("encrypt/decrypt", async () => {
     const payload = { key: "value" };
     const expiration = Math.floor(Date.now() / 1000 - 60); // 60 seconds in the past
     const encrypted = await encrypt(payload, secret, expiration);
-    await expect(() =>
-      decrypt(encrypted, secret)
-    ).rejects.toThrowError(`"exp" claim timestamp check failed`);
+    const decrypted = await decrypt(encrypted, secret);
+    expect(decrypted).toBeNull();
   });
 
   it("should fail to encrypt if a secret is not provided", async () => {

src/server/cookies.ts

@@ -39,17 +39,24 @@ export async function encrypt(
 }
 
 export async function decrypt<T>(cookieValue: string, secret: string) {
-  const encryptionSecret = await hkdf(
-    DIGEST,
-    secret,
-    "",
-    ENCRYPTION_INFO,
-    BYTE_LENGTH
-  );
+  try {
+    const encryptionSecret = await hkdf(
+      DIGEST,
+      secret,
+      "",
+      ENCRYPTION_INFO,
+      BYTE_LENGTH
+    );
 
-  const cookie = await jose.jwtDecrypt<T>(cookieValue, encryptionSecret, {});
+    const cookie = await jose.jwtDecrypt<T>(cookieValue, encryptionSecret, {});
 
-  return cookie;
+    return cookie;
+  } catch (e: any) {
+    if (e.code === "ERR_JWT_EXPIRED") {
+      return null;
+    }
+    throw e;
+  }
 }
 
 /**

src/server/session/stateful-session-store.ts

@@ -72,9 +72,16 @@ export class StatefulSessionStore extends AbstractSessionStore {
     // this ensures that v3 sessions are respected and can be transparently rolled over to v4+ sessions
     let sessionId: string | null = null;
     try {
-      const { payload: sessionCookie } =
-        await cookies.decrypt<SessionCookieValue>(cookie.value, this.secret);
-      sessionId = sessionCookie.id;
+      const sessionCookie = await cookies.decrypt<SessionCookieValue>(
+        cookie.value,
+        this.secret
+      );
+
+      if (sessionCookie === null) {
+        return null;
+      }
+
+      sessionId = sessionCookie.payload.id;
     } catch (e: any) {
       // the session cookie could not be decrypted, try to verify if it's a legacy session
       if (e.code === "ERR_JWE_INVALID") {
@@ -115,9 +122,12 @@ export class StatefulSessionStore extends AbstractSessionStore {
     let sessionId = null;
     const cookieValue = reqCookies.get(this.sessionCookieName)?.value;
     if (cookieValue) {
-      const { payload: sessionCookie } =
+      const sessionCookie =
         await cookies.decrypt<SessionCookieValue>(cookieValue, this.secret);
-      sessionId = sessionCookie.id;
+
+      if (sessionCookie) {
+        sessionId = sessionCookie.payload.id;
+      }
     }
 
     // if this is a new session created by a new login we need to remove the old session
@@ -130,17 +140,17 @@ export class StatefulSessionStore extends AbstractSessionStore {
     if (!sessionId) {
       sessionId = generateId();
     }
-    
+
     const maxAge = this.calculateMaxAge(session.internal.createdAt);
     const expiration = Date.now() / 1000 + maxAge;
     const jwe = await cookies.encrypt(
       {
         id: sessionId
       },
       this.secret,
-      expiration,
+      expiration
     );
-    
+
     resCookies.set(this.sessionCookieName, jwe.toString(), {
       ...this.cookieConfig,
       maxAge
@@ -168,11 +178,13 @@ export class StatefulSessionStore extends AbstractSessionStore {
       return;
     }
 
-    const { payload: session } = await cookies.decrypt<SessionCookieValue>(
+    const session = await cookies.decrypt<SessionCookieValue>(
       cookieValue,
       this.secret
     );
 
-    await this.store.delete(session.id);
+    if (session) {
+      await this.store.delete(session.payload.id);
+    }
   }
 }

src/server/session/stateless-session-store.test.ts

@@ -209,27 +209,75 @@ describe("Stateless Session Store", async () => {
           sid: "auth0-sid",
           createdAt: Math.floor(Date.now() / 1000)
         },
-        federatedConnectionTokenSets: [
-          {
-            connection: "google-oauth",
-            accessToken: "google-at-123",
-            expiresAt: 123456
-          }
-        ]
+      };
+
+      const googleConnectionTokenSet = {
+        connection: "google-oauth",
+        accessToken: "google-at-123",
+        expiresAt: 123456
       };
       const maxAge = 60 * 60; // 1 hour in seconds
       const expiration = Math.floor(Date.now() / 1000 + maxAge);
       const encryptedCookieValue = await encrypt(session, secret, expiration);
+      const encryptedGoogleConnectionCookieValue = await encrypt(googleConnectionTokenSet, secret, expiration);
 
       const headers = new Headers();
-      headers.append("cookie", `__session=${encryptedCookieValue}`);
+      headers.append("cookie", `__session=${encryptedCookieValue};__FC.0=${encryptedGoogleConnectionCookieValue}`);
       const requestCookies = new RequestCookies(headers);
 
       const sessionStore = new StatelessSessionStore({
         secret
       });
 
-      expect(await sessionStore.get(requestCookies)).toEqual(expect.objectContaining(session));
+      const result = await sessionStore.get(requestCookies);
+
+      expect(result).toEqual(expect.objectContaining(session));
+      expect(result?.connectionTokenSets).toEqual([expect.objectContaining(googleConnectionTokenSet)]);
+    });
+
+    it("should return the decrypted session cookie if it exists and exclude a connection when the JWE is expired", async () => {
+      const secret = await generateSecret(32);
+      const session: SessionData = {
+        user: { sub: "user_123" },
+        tokenSet: {
+          accessToken: "at_123",
+          refreshToken: "rt_123",
+          expiresAt: 123456
+        },
+        internal: {
+          sid: "auth0-sid",
+          createdAt: Math.floor(Date.now() / 1000)
+        },
+      };
+      
+      const googleConnectionTokenSet = {
+        connection: "google-oauth",
+        accessToken: "google-at-123",
+        expiresAt: 123456
+      };
+      const githubConnectionTokenSet = {
+        connection: "github",
+        accessToken: "github-at-123",
+        expiresAt: 123456
+      };
+      const maxAge = 60 * 60; // 1 hour in seconds
+      const expiration = Math.floor(Date.now() / 1000 + maxAge);
+      const encryptedCookieValue = await encrypt(session, secret, expiration);
+      const encryptedGoogleConnectionCookieValue = await encrypt(googleConnectionTokenSet, secret, Math.floor(Date.now() / 1000 - 10)); // expired
+      const encryptedGithubConnectionCookieValue = await encrypt(githubConnectionTokenSet, secret, expiration);
+
+      const headers = new Headers();
+      headers.append("cookie", `__session=${encryptedCookieValue};__FC.0=${encryptedGoogleConnectionCookieValue};__FC.1=${encryptedGithubConnectionCookieValue}`);
+      const requestCookies = new RequestCookies(headers);
+
+      const sessionStore = new StatelessSessionStore({
+        secret
+      });
+
+      const result = await sessionStore.get(requestCookies);
+
+      expect(result).toEqual(expect.objectContaining(session));
+      expect(result?.connectionTokenSets).toEqual([expect.objectContaining(githubConnectionTokenSet)]);
     });
   });
 
@@ -320,9 +368,8 @@ describe("Stateless Session Store", async () => {
 
         expect(cookie).toBeDefined();
 
-        await expect(
-          decrypt(cookie!.value, secret)
-        ).rejects.toThrow(`"exp" claim timestamp check failed`);
+        const decryptedSession = await decrypt(cookie!.value, secret);
+        expect(decryptedSession).toEqual(null);
       });
 
       it("should delete the legacy cookie if it exists", async () => {

src/server/session/stateless-session-store.ts

@@ -54,25 +54,37 @@ export class StatelessSessionStore extends AbstractSessionStore {
       SessionData | LegacySessionPayload
     >(cookieValue, this.secret);
 
+    if (!originalSession) {
+      return null;
+    }
+
     const normalizedStatelessSession =
       normalizeStatelessSession(originalSession);
 
     // As connection access tokens are stored in seperate cookies,
     // we need to get all cookies and only use those that are prefixed with `this.connectionTokenSetsCookieName`
-    const connectionTokenSets = await Promise.all(
-      this.getConnectionTokenSetsCookies(reqCookies).map((cookie) =>
-        cookies.decrypt<ConnectionTokenSet>(cookie.value, this.secret)
-      )
+    const connectionTokenSetsCookies = this.getConnectionTokenSetsCookies(
+      reqCookies
     );
 
+    const connectionTokenSets = [];
+    for (const cookie of connectionTokenSetsCookies) {
+      const decryptedCookie = await cookies.decrypt<ConnectionTokenSet>(
+        cookie.value,
+        this.secret
+      );
+
+      if (decryptedCookie) {
+        connectionTokenSets.push(decryptedCookie.payload);
+      }
+    }
+
     return {
       ...normalizedStatelessSession,
       // Ensure that when there are no connection token sets, we omit the property.
       ...(connectionTokenSets.length
         ? {
-            connectionTokenSets: connectionTokenSets.map(
-              (tokenSet) => tokenSet.payload
-            )
+            connectionTokenSets
           }
         : {})
     };