From 4e7fa0f2d963ef31ce26186def946d679817948b Mon Sep 17 00:00:00 2001
From: Milo Schwartz <mschwartz10612@gmail.com>
Date: Sun, 24 Nov 2024 14:28:23 -0500
Subject: [PATCH] add logging for verifySession

---
 package.json                                  | 12 ++--
 .../routers/auth/sendEmailVerificationCode.ts |  2 +-
 server/routers/badger/verifySession.ts        | 63 ++++++++++++-------
 3 files changed, 49 insertions(+), 28 deletions(-)

diff --git a/package.json b/package.json
index e9f5b35a..26a7d454 100644
--- a/package.json
+++ b/package.json
@@ -32,8 +32,8 @@
         "@radix-ui/react-switch": "1.1.1",
         "@radix-ui/react-tabs": "1.1.1",
         "@radix-ui/react-toast": "1.2.2",
-        "@react-email/components": "0.0.25",
-        "@react-email/tailwind": "0.1.0",
+        "@react-email/components": "0.0.28",
+        "@react-email/tailwind": "1.0.2",
         "@tanstack/react-table": "8.20.5",
         "axios": "1.7.7",
         "better-sqlite3": "11.3.0",
@@ -60,8 +60,8 @@
         "node-fetch": "3.3.2",
         "nodemailer": "6.9.15",
         "oslo": "1.2.1",
-        "react": "19.0.0-rc-69d4b800-20241021",
-        "react-dom": "19.0.0-rc-69d4b800-20241021",
+        "react": "19.0.0-rc.1",
+        "react-dom": "19.0.0-rc.1",
         "react-hook-form": "7.53.0",
         "rebuild": "0.1.2",
         "tailwind-merge": "2.5.3",
@@ -71,10 +71,10 @@
         "winston-daily-rotate-file": "5.0.0",
         "ws": "8.18.0",
         "zod": "3.23.8",
-        "zod-validation-error": "3.4.0",
-        "react-email": "3.0.1"
+        "zod-validation-error": "3.4.0"
     },
     "devDependencies": {
+        "react-email": "3.0.2",
         "@dotenvx/dotenvx": "1.14.2",
         "@esbuild-plugins/tsconfig-paths": "0.1.2",
         "@types/better-sqlite3": "7.6.11",
diff --git a/server/routers/auth/sendEmailVerificationCode.ts b/server/routers/auth/sendEmailVerificationCode.ts
index 16af5ece..c2d12a78 100644
--- a/server/routers/auth/sendEmailVerificationCode.ts
+++ b/server/routers/auth/sendEmailVerificationCode.ts
@@ -5,7 +5,7 @@ import { users, emailVerificationCodes } from "@server/db/schema";
 import { eq } from "drizzle-orm";
 import { sendEmail } from "@server/emails";
 import config from "@server/config";
-import VerifyEmail from "@server/emails/templates/verifyEmailCode";
+import VerifyEmail from "@server/emails/templates/VerifyEmailCode";
 
 export async function sendEmailVerificationCode(
     email: string,
diff --git a/server/routers/badger/verifySession.ts b/server/routers/badger/verifySession.ts
index e538023d..a733c01e 100644
--- a/server/routers/badger/verifySession.ts
+++ b/server/routers/badger/verifySession.ts
@@ -43,7 +43,7 @@ export type VerifyUserResponse = {
 export async function verifyResourceSession(
     req: Request,
     res: Response,
-    next: NextFunction
+    next: NextFunction,
 ): Promise<any> {
     logger.debug("Badger sent", req.body); // remove when done testing
 
@@ -53,8 +53,8 @@ export async function verifyResourceSession(
         return next(
             createHttpError(
                 HttpCode.BAD_REQUEST,
-                fromError(parsedBody.error).toString()
-            )
+                fromError(parsedBody.error).toString(),
+            ),
         );
     }
 
@@ -66,11 +66,11 @@ export async function verifyResourceSession(
             .from(resources)
             .leftJoin(
                 resourcePincode,
-                eq(resourcePincode.resourceId, resources.resourceId)
+                eq(resourcePincode.resourceId, resources.resourceId),
             )
             .leftJoin(
                 resourcePassword,
-                eq(resourcePassword.resourceId, resources.resourceId)
+                eq(resourcePassword.resourceId, resources.resourceId),
             )
             .where(eq(resources.fullDomain, host))
             .limit(1);
@@ -80,32 +80,38 @@ export async function verifyResourceSession(
         const password = result?.resourcePassword;
 
         if (!resource) {
+            logger.debug("Resource not found", host);
             return notAllowed(res);
         }
 
         const { sso, blockAccess } = resource;
 
         if (blockAccess) {
+            logger.debug("Resource blocked", host);
             return notAllowed(res);
         }
 
         if (!resource.sso && !pincode && !password) {
+            logger.debug("Resource allowed because no auth");
             return allowed(res);
         }
 
-        const redirectUrl = `${config.app.base_url}/auth/resource/${resource.resourceId}?redirect=${originalRequestURL}`;
+        const redirectUrl = `${config.app.base_url}/auth/resource/${encodeURIComponent(resource.resourceId)}?redirect=${encodeURIComponent(originalRequestURL)}`;
 
         if (sso && sessions.session) {
             const { session, user } = await validateSessionToken(
-                sessions.session
+                sessions.session,
             );
             if (session && user) {
                 const isAllowed = await isUserAllowedToAccessResource(
                     user.userId,
-                    resource
+                    resource,
                 );
 
                 if (isAllowed) {
+                    logger.debug(
+                        "Resource allowed because user session is valid",
+                    );
                     return allowed(res);
                 }
             }
@@ -114,13 +120,16 @@ export async function verifyResourceSession(
         if (password && sessions.resource_session) {
             const { resourceSession } = await validateResourceSessionToken(
                 sessions.resource_session,
-                resource.resourceId
+                resource.resourceId,
             );
             if (resourceSession) {
                 if (
                     pincode &&
                     resourceSession.pincodeId === pincode.pincodeId
                 ) {
+                    logger.debug(
+                        "Resource allowed because pincode session is valid",
+                    );
                     return allowed(res);
                 }
 
@@ -128,51 +137,63 @@ export async function verifyResourceSession(
                     password &&
                     resourceSession.passwordId === password.passwordId
                 ) {
+                    logger.debug(
+                        "Resource allowed because password session is valid",
+                    );
                     return allowed(res);
                 }
             }
         }
 
+        logger.debug("No more auth to check, resource not allowed");
         return notAllowed(res, redirectUrl);
     } catch (e) {
+        console.error(e);
         return next(
             createHttpError(
                 HttpCode.INTERNAL_SERVER_ERROR,
-                "Failed to verify session"
-            )
+                "Failed to verify session",
+            ),
         );
     }
 }
 
 function notAllowed(res: Response, redirectUrl?: string) {
-    return response<VerifyUserResponse>(res, {
+    const data = {
         data: { valid: false, redirectUrl },
         success: true,
         error: false,
         message: "Access denied",
         status: HttpCode.OK,
-    });
+    }
+    logger.debug(JSON.stringify(data));
+    return response<VerifyUserResponse>(res, data);
 }
 
 function allowed(res: Response) {
-    return response<VerifyUserResponse>(res, {
+    const data = {
         data: { valid: true },
         success: true,
         error: false,
         message: "Access allowed",
         status: HttpCode.OK,
-    });
+    }
+    logger.debug(JSON.stringify(data));
+    return response<VerifyUserResponse>(res, data);
 }
 
 async function isUserAllowedToAccessResource(
     userId: string,
-    resource: Resource
+    resource: Resource,
 ) {
     const userOrgRole = await db
         .select()
         .from(userOrgs)
         .where(
-            and(eq(userOrgs.userId, userId), eq(userOrgs.orgId, resource.orgId))
+            and(
+                eq(userOrgs.userId, userId),
+                eq(userOrgs.orgId, resource.orgId),
+            ),
         )
         .limit(1);
 
@@ -186,8 +207,8 @@ async function isUserAllowedToAccessResource(
         .where(
             and(
                 eq(roleResources.resourceId, resource.resourceId),
-                eq(roleResources.roleId, userOrgRole[0].roleId)
-            )
+                eq(roleResources.roleId, userOrgRole[0].roleId),
+            ),
         )
         .limit(1);
 
@@ -201,8 +222,8 @@ async function isUserAllowedToAccessResource(
         .where(
             and(
                 eq(userResources.userId, userId),
-                eq(userResources.resourceId, resource.resourceId)
-            )
+                eq(userResources.resourceId, resource.resourceId),
+            ),
         )
         .limit(1);