1package store
2
3import (
4 "context"
5 cryptorand "crypto/rand"
6 "encoding/base64"
7 "errors"
8 "fmt"
9 "log/slog"
10 "runtime/debug"
11 "sync"
12 "time"
13
14 "github.com/mjl-/bstore"
15
16 "github.com/mjl-/mox/metrics"
17 "github.com/mjl-/mox/mlog"
18 "github.com/mjl-/mox/mox-"
19)
20
21const sessionsPerAccount = 100 // We remove the oldest when 100th is added.
22const sessionLifetime = 24 * time.Hour // Extended automatically by use.
23const sessionWriteDelay = 5 * time.Minute // Per account, for coalescing writes.
24
25var sessions = struct {
26 sync.Mutex
27
28 // For each account, we keep all sessions (with fixed maximum number) in memory. If
29 // the map for an account is nil, it is initialized from the database on first use.
30 accounts map[string]map[SessionToken]LoginSession
31
32 // We flush sessions with extended expiration timestamp to disk with a delay, to
33 // coalesce potentially many changes. The delay is short enough that we don't have
34 // to care about flushing to disk on shutdown.
35 pendingFlushes map[string]map[SessionToken]struct{}
36}{
37 accounts: map[string]map[SessionToken]LoginSession{},
38 pendingFlushes: map[string]map[SessionToken]struct{}{},
39}
40
41// Ensure sessions for account are initialized from database. If the sessions were
42// initialized from the database, or when alwaysOpenAccount is true, an open
43// account is returned (assuming no error occurred).
44//
45// must be called with sessions lock held.
46func ensureAccountSessions(ctx context.Context, log mlog.Log, accountName string, alwaysOpenAccount bool) (*Account, error) {
47 var acc *Account
48 accSessions := sessions.accounts[accountName]
49 if accSessions == nil {
50 var err error
51 acc, err = OpenAccount(log, accountName)
52 if err != nil {
53 return nil, err
54 }
55
56 // We still hold the lock, not great...
57
58 accSessions = map[SessionToken]LoginSession{}
59 err = bstore.QueryDB[LoginSession](ctx, acc.DB).ForEach(func(ls LoginSession) error {
60 // We keep strings around for easy comparison.
61 ls.sessionToken = SessionToken(base64.RawURLEncoding.EncodeToString(ls.SessionTokenBinary[:]))
62 ls.csrfToken = CSRFToken(base64.RawURLEncoding.EncodeToString(ls.CSRFTokenBinary[:]))
63
64 accSessions[ls.sessionToken] = ls
65 return nil
66 })
67 if err != nil {
68 return nil, err
69 }
70
71 sessions.accounts[accountName] = accSessions
72 }
73 if acc == nil && alwaysOpenAccount {
74 return OpenAccount(log, accountName)
75 }
76 return acc, nil
77}
78
79// SessionUse checks if a session is valid. If csrfToken is the empty string, no
80// CSRF check is done. Otherwise it must be the csrf token associated with the
81// session token.
82func SessionUse(ctx context.Context, log mlog.Log, accountName string, sessionToken SessionToken, csrfToken CSRFToken) (LoginSession, error) {
83 sessions.Lock()
84 defer sessions.Unlock()
85
86 acc, err := ensureAccountSessions(ctx, log, accountName, false)
87 if err != nil {
88 return LoginSession{}, err
89 } else if acc != nil {
90 if err := acc.Close(); err != nil {
91 return LoginSession{}, fmt.Errorf("closing account: %w", err)
92 }
93 }
94
95 return sessionUse(ctx, log, accountName, sessionToken, csrfToken)
96}
97
98// must be called with sessions lock held.
99func sessionUse(ctx context.Context, log mlog.Log, accountName string, sessionToken SessionToken, csrfToken CSRFToken) (LoginSession, error) {
100 // Check if valid.
101 ls, ok := sessions.accounts[accountName][sessionToken]
102 if !ok {
103 return LoginSession{}, fmt.Errorf("unknown session token")
104 } else if time.Until(ls.Expires) < 0 {
105 return LoginSession{}, fmt.Errorf("session expired (after 24 hours inactivity)")
106 } else if csrfToken != "" && csrfToken != ls.csrfToken {
107 return LoginSession{}, fmt.Errorf("mismatch between csrf and session tokens")
108 }
109
110 // Extend lifetime.
111 ls.Expires = time.Now().Add(sessionLifetime)
112 sessions.accounts[accountName][sessionToken] = ls
113
114 // If we haven't scheduled a flush to database yet, schedule one now.
115 if sessions.pendingFlushes[accountName] == nil {
116 sessions.pendingFlushes[accountName] = map[SessionToken]struct{}{}
117 go func() {
118 pkglog := mlog.New("store", nil)
119
120 defer func() {
121 x := recover()
122 if x != nil {
123 pkglog.Error("recover from panic", slog.Any("panic", x))
124 debug.PrintStack()
125 metrics.PanicInc(metrics.Store)
126 }
127 }()
128
129 time.Sleep(sessionWriteDelay)
130 sessionsDelayedFlush(pkglog, accountName)
131 }()
132 }
133 sessions.pendingFlushes[accountName][ls.sessionToken] = struct{}{}
134
135 return ls, nil
136}
137
138// wait, then flush all changed sessions for an account.
139func sessionsDelayedFlush(log mlog.Log, accountName string) {
140 sessions.Lock()
141 defer sessions.Unlock()
142
143 sessionTokens := sessions.pendingFlushes[accountName]
144 delete(sessions.pendingFlushes, accountName)
145
146 _, ok := sessions.accounts[accountName]
147 if !ok {
148 // Account may have been removed. Nothing to flush.
149 return
150 }
151
152 acc, err := OpenAccount(log, accountName)
153 if err != nil && errors.Is(err, ErrAccountUnknown) {
154 // Account may have been removed. Nothing to flush.
155 log.Infox("flushing sessions for account", err, slog.String("account", accountName))
156 return
157 }
158 if err != nil {
159 log.Errorx("open account for flushing changed session tokens", err, slog.String("account", accountName))
160 return
161 }
162 defer func() {
163 err := acc.Close()
164 log.Check(err, "closing account")
165 }()
166
167 err = acc.DB.Write(mox.Context, func(tx *bstore.Tx) error {
168 for sessionToken := range sessionTokens {
169 ls, ok := sessions.accounts[accountName][sessionToken]
170 if !ok {
171 return fmt.Errorf("unknown session token to flush")
172 }
173 if err := tx.Update(&ls); err != nil {
174 return err
175 }
176 }
177 return nil
178 })
179 log.Check(err, "flushing changed sessions for account", slog.String("account", accountName))
180}
181
182// SessionAddTokens adds a prepared or pre-existing LoginSession to the database and
183// cache. Can be used to restore a session token that was used to reset a password.
184func SessionAddToken(ctx context.Context, log mlog.Log, ls *LoginSession) error {
185 sessions.Lock()
186 defer sessions.Unlock()
187
188 acc, err := ensureAccountSessions(ctx, log, ls.AccountName, true)
189 if err != nil {
190 return err
191 }
192 defer func() {
193 err := acc.Close()
194 log.Check(err, "closing account after adding session token")
195 }()
196
197 return sessionAddToken(ctx, log, acc, ls)
198}
199
200// caller must hold sessions lock.
201func sessionAddToken(ctx context.Context, log mlog.Log, acc *Account, ls *LoginSession) error {
202 ls.ID = 0
203
204 err := acc.DB.Write(ctx, func(tx *bstore.Tx) error {
205 // Remove sessions if we have too many, starting with expired sessions, and
206 // removing the oldest if needed.
207 if len(sessions.accounts[ls.AccountName]) >= sessionsPerAccount {
208 var oldest LoginSession
209 for _, ols := range sessions.accounts[ls.AccountName] {
210 if time.Until(ols.Expires) < 0 {
211 if err := tx.Delete(&ols); err != nil {
212 return err
213 }
214 delete(sessions.accounts[ls.AccountName], ols.sessionToken)
215 continue
216 }
217 if oldest.ID == 0 || ols.Expires.Before(oldest.Expires) {
218 oldest = ols
219 }
220 }
221 if len(sessions.accounts[ls.AccountName]) >= sessionsPerAccount {
222 if err := tx.Delete(&oldest); err != nil {
223 return err
224 }
225 delete(sessions.accounts[ls.AccountName], oldest.sessionToken)
226 }
227 }
228
229 if err := tx.Insert(ls); err != nil {
230 return fmt.Errorf("insert: %v", err)
231 }
232 return nil
233 })
234 if err != nil {
235 return err
236 }
237 sessions.accounts[ls.AccountName][ls.sessionToken] = *ls
238 return nil
239}
240
241// SessionAdd creates a new session token, with csrf token, and adds it to the
242// database and in-memory session cache. If there are too many sessions, the oldest
243// is removed.
244func SessionAdd(ctx context.Context, log mlog.Log, accountName, loginAddress string) (session SessionToken, csrf CSRFToken, rerr error) {
245 // Prepare new LoginSession.
246 ls := LoginSession{0, time.Time{}, time.Now().Add(sessionLifetime), [16]byte{}, [16]byte{}, accountName, loginAddress, "", ""}
247 if _, err := cryptorand.Read(ls.SessionTokenBinary[:]); err != nil {
248 return "", "", err
249 }
250 if _, err := cryptorand.Read(ls.CSRFTokenBinary[:]); err != nil {
251 return "", "", err
252 }
253 ls.sessionToken = SessionToken(base64.RawURLEncoding.EncodeToString(ls.SessionTokenBinary[:]))
254 ls.csrfToken = CSRFToken(base64.RawURLEncoding.EncodeToString(ls.CSRFTokenBinary[:]))
255
256 sessions.Lock()
257 defer sessions.Unlock()
258
259 acc, err := ensureAccountSessions(ctx, log, accountName, true)
260 if err != nil {
261 return "", "", err
262 }
263 defer func() {
264 err := acc.Close()
265 log.Check(err, "closing account")
266 }()
267
268 if err := sessionAddToken(ctx, log, acc, &ls); err != nil {
269 return "", "", err
270 }
271
272 return ls.sessionToken, ls.csrfToken, nil
273}
274
275// SessionRemove removes a session from the database and in-memory cache. Future
276// operations using the session token will fail.
277func SessionRemove(ctx context.Context, log mlog.Log, accountName string, sessionToken SessionToken) error {
278 sessions.Lock()
279 defer sessions.Unlock()
280
281 acc, err := ensureAccountSessions(ctx, log, accountName, true)
282 if err != nil {
283 return err
284 }
285 defer acc.Close()
286
287 ls, ok := sessions.accounts[accountName][sessionToken]
288 if !ok {
289 return fmt.Errorf("unknown session token")
290 }
291
292 if err := acc.DB.Delete(ctx, &ls); err != nil {
293 return err
294 }
295
296 delete(sessions.accounts[accountName], sessionToken)
297 pf := sessions.pendingFlushes[accountName]
298 if pf != nil {
299 delete(pf, sessionToken)
300 }
301
302 return nil
303}
304
305// sessionRemoveAll removes all session tokens for an account. Useful after a password reset.
306func sessionRemoveAll(ctx context.Context, log mlog.Log, tx *bstore.Tx, accountName string) error {
307 sessions.Lock()
308 defer sessions.Unlock()
309
310 if _, err := bstore.QueryTx[LoginSession](tx).Delete(); err != nil {
311 return err
312 }
313
314 sessions.accounts[accountName] = map[SessionToken]LoginSession{}
315 if sessions.pendingFlushes[accountName] != nil {
316 sessions.pendingFlushes[accountName] = map[SessionToken]struct{}{}
317 }
318
319 return nil
320}
321