:bug fix(auth-refresh): prevent ws attempt to refresh the session

Author: victor-enogwe

packages/backend/src/common/middleware/supertokens.middleware.ts

@@ -76,6 +76,10 @@ export const initSupertokens = () => {
 
                     webSocketServer.handleUserRefreshToken(socketId!);
 
+                    logger.debug(
+                      `Session refreshed for user ${data.sub} client.`,
+                    );
+
                     return session;
                   },
                 );

packages/backend/src/servers/websocket/websocket.server.ts

@@ -1,7 +1,14 @@
-import { Request } from "express";
+import { NextFunction, Request, Response } from "express";
 import { Server as HttpServer } from "node:http";
 import { ExtendedError, Server as SocketIOServer } from "socket.io";
-import { verifySession } from "supertokens-node/recipe/session/framework/express";
+import { SessionRequest } from "supertokens-node/framework/express";
+import {
+  ExpressRequest,
+  ExpressResponse,
+} from "supertokens-node/lib/build/framework/express/framework";
+import SessionError from "supertokens-node/lib/build/recipe/session/error";
+import SessionRecipe from "supertokens-node/lib/build/recipe/session/recipe";
+import { makeDefaultUserContextFromAPI } from "supertokens-node/lib/build/utils";
 import {
   EVENT_CHANGED,
   EVENT_CHANGE_PROCESSED,
@@ -16,6 +23,7 @@ import {
   USER_REFRESH_TOKEN,
   USER_SIGN_OUT,
 } from "@core/constants/websocket.constants";
+import { Status } from "@core/errors/status.codes";
 import { Logger } from "@core/logger/winston.logger";
 import { UserMetadata } from "@core/types/user.types";
 import {
@@ -197,6 +205,46 @@ class WebSocketServer {
     return this.notifyClient(socketId!, event, ...payload);
   }
 
+  /**
+   * verifySession
+   *
+   * We are manually verifying the session here
+   * to prevent the default supertokens behavior
+   * of attempting to refresh the session if it is expired internally
+   * since the socket's session might be stale.
+   * We offload the refresh mechanism to the client.
+   */
+  private async verifySession(
+    req: SessionRequest,
+    res: Response,
+    next: NextFunction,
+  ) {
+    try {
+      const request = new ExpressRequest(req);
+      const response = new ExpressResponse(res);
+      const userContext = makeDefaultUserContextFromAPI(request);
+      const sessionRecipe = SessionRecipe.getInstanceOrThrowError();
+      const session = await sessionRecipe.verifySession(
+        { sessionRequired: false },
+        request,
+        response,
+        userContext,
+      );
+
+      Object.assign(req, { session });
+
+      next();
+    } catch (err) {
+      const error = err as SessionError;
+
+      res.writeHead(Status.UNAUTHORIZED, {
+        "Content-Type": "application/json",
+      });
+
+      res.end(JSON.stringify({ type: error.type, message: error.message }));
+    }
+  }
+
   init(server: HttpServer) {
     this.wsServer = new SocketIOServer<
       ClientToServerEvents,
@@ -205,7 +253,7 @@ class WebSocketServer {
       SocketData
     >(server, { cors: { origin: ENV.ORIGINS_ALLOWED, credentials: true } });
 
-    this.wsServer.engine.use(verifySession());
+    this.wsServer.engine.use(this.verifySession.bind(this));
 
     this.wsServer.engine.generateId = this.generateId.bind(this);