@vorionsys/platform-core 0.1.0

package/dist/security/session-manager.js

@@ -0,0 +1,353 @@
+/**
+ * Session Manager - High-level session management
+ *
+ * Provides secure session lifecycle management including:
+ * - Session creation with device tracking
+ * - Session validation with security checks
+ * - Revocation on security events
+ * - Re-authentication for sensitive operations
+ *
+ * @packageDocumentation
+ */
+import { createLogger } from '../common/logger.js';
+import { getSessionStore, } from './session-store.js';
+import { getFingerprintService, } from './fingerprint-service.js';
+const logger = createLogger({ component: 'session-manager' });
+const DEFAULT_CONFIG = {
+    requireReauthForSensitive: true,
+    sensitiveOperationWindow: 300, // 5 minutes
+    inactivityTimeout: 3600, // 1 hour
+    revokeOnPasswordChange: true,
+    revokeOnEmailChange: true,
+    detectConcurrentSessions: true,
+    fingerprintEnabled: true,
+    fingerprintStrictness: 'warn',
+};
+/**
+ * Session manager for secure session lifecycle
+ */
+export class SessionManager {
+    store;
+    config;
+    fingerprintService;
+    constructor(config = {}) {
+        this.config = { ...DEFAULT_CONFIG, ...config };
+        this.store = getSessionStore(config);
+        this.fingerprintService = getFingerprintService();
+    }
+    /**
+     * Create a new session for a user
+     */
+    async createSession(input) {
+        // Check for suspicious concurrent sessions if enabled
+        if (this.config.detectConcurrentSessions) {
+            await this.checkConcurrentSessions(input);
+        }
+        return this.store.create(input);
+    }
+    /**
+     * Validate a session and check security conditions
+     */
+    async validateSession(sessionId, options) {
+        const result = await this.store.validate(sessionId);
+        const warnings = [];
+        if (!result.valid) {
+            return {
+                valid: false,
+                session: result.session,
+                reason: result.reason,
+            };
+        }
+        const session = result.session;
+        // Check inactivity timeout
+        if (options?.checkInactivity !== false) {
+            const inactiveSeconds = (Date.now() - session.lastActivityAt.getTime()) / 1000;
+            if (inactiveSeconds > this.config.inactivityTimeout) {
+                return {
+                    valid: false,
+                    session,
+                    reason: 'Session inactive for too long',
+                    requiresReauth: true,
+                };
+            }
+        }
+        // Check IP address change (warning only, not blocking)
+        if (options?.ipAddress && options.ipAddress !== session.ipAddress) {
+            warnings.push(`IP address changed from ${session.ipAddress} to ${options.ipAddress}`);
+            logger.warn({
+                sessionId,
+                userId: session.userId,
+                originalIp: session.ipAddress,
+                currentIp: options.ipAddress,
+            }, 'Session IP address changed');
+        }
+        // Validate fingerprint if enabled and session has stored fingerprint
+        let fingerprintValidation;
+        if (this.config.fingerprintEnabled &&
+            session.deviceFingerprint &&
+            options?.requestHeaders) {
+            fingerprintValidation = this.fingerprintService.validateFingerprint(options.requestHeaders, session.deviceFingerprint, sessionId);
+            if (!fingerprintValidation.valid) {
+                if (fingerprintValidation.shouldBlock) {
+                    return {
+                        valid: false,
+                        session,
+                        reason: 'Fingerprint mismatch detected - session may be compromised',
+                        fingerprintValidation,
+                    };
+                }
+                else {
+                    warnings.push('Fingerprint mismatch detected - client characteristics changed');
+                }
+            }
+        }
+        // Check if sensitive operation requires recent authentication
+        if (options?.operation && this.config.requireReauthForSensitive) {
+            const requiresReauth = this.operationRequiresReauth(session, options.operation);
+            if (requiresReauth) {
+                return {
+                    valid: true,
+                    session,
+                    requiresReauth: true,
+                    reason: `Operation "${options.operation}" requires recent authentication`,
+                    securityWarnings: warnings.length > 0 ? warnings : undefined,
+                    fingerprintValidation,
+                };
+            }
+        }
+        return {
+            valid: true,
+            session,
+            securityWarnings: warnings.length > 0 ? warnings : undefined,
+            fingerprintValidation,
+        };
+    }
+    /**
+     * Revoke a specific session
+     */
+    async revokeSession(sessionId, reason, revokedBy) {
+        return this.store.revoke(sessionId, reason, revokedBy);
+    }
+    /**
+     * Revoke all sessions for a user (e.g., on password change)
+     */
+    async revokeAllUserSessions(userId, reason, revokedBy, exceptCurrentSession) {
+        return this.store.revokeAllForUser(userId, reason, revokedBy, exceptCurrentSession);
+    }
+    /**
+     * Revoke other sessions (keep current)
+     */
+    async revokeOtherSessions(userId, currentSessionId, reason = 'User requested logout of other sessions') {
+        return this.store.revokeAllForUser(userId, reason, userId, currentSessionId);
+    }
+    /**
+     * Regenerate a session with a new ID while preserving session data
+     *
+     * This is a security best practice after privilege changes (e.g., login,
+     * role change, password reset) to prevent session fixation attacks.
+     *
+     * Steps performed:
+     * 1. Gets the old session data
+     * 2. Creates a new session with the same data (optionally with updates)
+     * 3. Revokes the old session
+     * 4. Returns the new session
+     *
+     * @param oldSessionId - The current session ID to regenerate
+     * @param options - Options for the new session
+     * @returns The new session, or null if old session doesn't exist
+     */
+    async regenerateSession(oldSessionId, options = {}) {
+        // Get the old session
+        const oldSession = await this.store.get(oldSessionId);
+        if (!oldSession || oldSession.revoked) {
+            logger.warn({ oldSessionId, reason: options.reason }, 'Cannot regenerate session - old session not found or already revoked');
+            return null;
+        }
+        // Create new session with data from old session
+        const newSessionInput = {
+            userId: oldSession.userId,
+            tenantId: oldSession.tenantId,
+            ipAddress: options.ipAddress ?? oldSession.ipAddress,
+            userAgent: options.userAgent ?? oldSession.userAgent,
+            deviceFingerprint: options.deviceFingerprint ?? oldSession.deviceFingerprint,
+            metadata: {
+                ...oldSession.metadata,
+                ...options.metadata,
+                regeneratedFrom: oldSessionId,
+                regeneratedAt: new Date().toISOString(),
+                regenerationReason: options.reason,
+            },
+        };
+        // Create the new session
+        const newSession = await this.store.create(newSessionInput);
+        // Revoke the old session
+        await this.store.revoke(oldSessionId, options.reason ?? 'Session regenerated', 'system');
+        logger.info({
+            oldSessionId,
+            newSessionId: newSession.id,
+            userId: oldSession.userId,
+            reason: options.reason,
+        }, 'Session regenerated successfully');
+        return newSession;
+    }
+    /**
+     * Compute and store fingerprint for a session
+     *
+     * Use this when creating sessions to enable fingerprint validation.
+     *
+     * @param sessionId - Session to update
+     * @param headers - Request headers for fingerprint computation
+     * @returns The computed fingerprint, or null if session not found
+     */
+    async setSessionFingerprint(sessionId, headers) {
+        const session = await this.store.get(sessionId);
+        if (!session || session.revoked) {
+            return null;
+        }
+        const fingerprintResult = this.fingerprintService.computeFingerprint(headers);
+        // Update session with fingerprint
+        // Note: This requires getting and re-saving the session
+        // In production, consider adding a dedicated update method to SessionStore
+        session.deviceFingerprint = fingerprintResult.fingerprint;
+        session.metadata = {
+            ...session.metadata,
+            fingerprintComponents: fingerprintResult.componentsUsed,
+            fingerprintMissingComponents: fingerprintResult.missingComponents,
+        };
+        // Touch to persist changes
+        await this.store.touch(sessionId);
+        logger.debug({
+            sessionId,
+            fingerprintPrefix: fingerprintResult.fingerprint.substring(0, 8),
+            componentsUsed: fingerprintResult.componentsUsed,
+        }, 'Session fingerprint set');
+        return fingerprintResult.fingerprint;
+    }
+    /**
+     * Handle password change - revoke all sessions if configured
+     */
+    async onPasswordChange(userId, currentSessionId) {
+        if (!this.config.revokeOnPasswordChange) {
+            return { revokedCount: 0 };
+        }
+        const revokedCount = await this.revokeAllUserSessions(userId, 'Password changed', 'system', currentSessionId);
+        logger.info({ userId, revokedCount, keptSession: currentSessionId }, 'Sessions revoked after password change');
+        return { revokedCount };
+    }
+    /**
+     * Handle email change - revoke all sessions if configured
+     */
+    async onEmailChange(userId, currentSessionId) {
+        if (!this.config.revokeOnEmailChange) {
+            return { revokedCount: 0 };
+        }
+        const revokedCount = await this.revokeAllUserSessions(userId, 'Email changed', 'system', currentSessionId);
+        logger.info({ userId, revokedCount, keptSession: currentSessionId }, 'Sessions revoked after email change');
+        return { revokedCount };
+    }
+    /**
+     * Handle security incident - revoke all sessions immediately
+     */
+    async onSecurityIncident(userId, incidentType, details) {
+        const reason = `Security incident: ${incidentType}${details ? ` - ${details}` : ''}`;
+        const revokedCount = await this.revokeAllUserSessions(userId, reason, 'security-system');
+        logger.warn({ userId, incidentType, revokedCount, details }, 'All sessions revoked due to security incident');
+        return { revokedCount };
+    }
+    /**
+     * Get all active sessions for a user
+     */
+    async getUserSessions(userId) {
+        return this.store.getSessionsForUser(userId);
+    }
+    /**
+     * Get session count for a user
+     */
+    async getUserSessionCount(userId) {
+        const sessions = await this.store.getSessionsForUser(userId);
+        return sessions.length;
+    }
+    /**
+     * Record that user re-authenticated (for sensitive operations)
+     */
+    async recordReauthentication(sessionId) {
+        const session = await this.store.get(sessionId);
+        if (!session || session.revoked) {
+            return false;
+        }
+        // Update metadata to record re-auth time
+        session.metadata = {
+            ...session.metadata,
+            lastReauthAt: new Date().toISOString(),
+        };
+        // Touch the session to update it
+        await this.store.touch(sessionId);
+        logger.info({ sessionId, userId: session.userId }, 'Re-authentication recorded');
+        return true;
+    }
+    /**
+     * Check if an operation requires re-authentication
+     */
+    operationRequiresReauth(session, operation) {
+        // Check when user last authenticated
+        const lastReauthAt = session.metadata?.['lastReauthAt'];
+        const lastAuthTime = lastReauthAt
+            ? new Date(lastReauthAt).getTime()
+            : session.createdAt.getTime();
+        const secondsSinceAuth = (Date.now() - lastAuthTime) / 1000;
+        // If within the sensitive operation window, no re-auth needed
+        if (secondsSinceAuth < this.config.sensitiveOperationWindow) {
+            return false;
+        }
+        // These operations always require recent auth
+        const alwaysRequireReauth = [
+            'password_change',
+            'delete_account',
+            'mfa_change',
+        ];
+        return alwaysRequireReauth.includes(operation);
+    }
+    /**
+     * Check for suspicious concurrent sessions
+     */
+    async checkConcurrentSessions(input) {
+        const existingSessions = await this.store.getSessionsForUser(input.userId);
+        for (const session of existingSessions) {
+            // Check if there's a session from a very different location
+            // (This is a simple check - could be enhanced with IP geolocation)
+            if (session.ipAddress !== input.ipAddress) {
+                const timeSinceLastActivity = Date.now() - session.lastActivityAt.getTime();
+                // If there was recent activity from a different IP, log a warning
+                if (timeSinceLastActivity < 300000) { // 5 minutes
+                    logger.warn({
+                        userId: input.userId,
+                        existingSessionIp: session.ipAddress,
+                        newSessionIp: input.ipAddress,
+                        existingSessionId: session.id,
+                    }, 'Concurrent session from different IP detected');
+                }
+            }
+        }
+    }
+}
+/**
+ * Singleton session manager instance
+ */
+let sessionManager = null;
+/**
+ * Get the session manager singleton
+ */
+export function getSessionManager(config) {
+    if (!sessionManager) {
+        sessionManager = new SessionManager(config);
+    }
+    return sessionManager;
+}
+/**
+ * Create a new session manager instance (for testing)
+ */
+export function createSessionManager(config) {
+    return new SessionManager(config);
+}
+export { extractFingerprintHeaders } from './fingerprint-service.js';
+//# sourceMappingURL=session-manager.js.map

package/dist/security/session-manager.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"session-manager.js","sourceRoot":"","sources":["../../src/security/session-manager.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AAEnD,OAAO,EAEL,eAAe,GAIhB,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EAEL,qBAAqB,GAItB,MAAM,0BAA0B,CAAC;AAElC,MAAM,MAAM,GAAG,YAAY,CAAC,EAAE,SAAS,EAAE,iBAAiB,EAAE,CAAC,CAAC;AAwC9D,MAAM,cAAc,GAAyB;IAC3C,yBAAyB,EAAE,IAAI;IAC/B,wBAAwB,EAAE,GAAG,EAAE,YAAY;IAC3C,iBAAiB,EAAE,IAAI,EAAE,SAAS;IAClC,sBAAsB,EAAE,IAAI;IAC5B,mBAAmB,EAAE,IAAI;IACzB,wBAAwB,EAAE,IAAI;IAC9B,kBAAkB,EAAE,IAAI;IACxB,qBAAqB,EAAE,MAAM;CAC9B,CAAC;AA4BF;;GAEG;AACH,MAAM,OAAO,cAAc;IACjB,KAAK,CAAe;IACpB,MAAM,CAAuB;IAC7B,kBAAkB,CAAqB;IAE/C,YAAY,SAAwC,EAAE;QACpD,IAAI,CAAC,MAAM,GAAG,EAAE,GAAG,cAAc,EAAE,GAAG,MAAM,EAAE,CAAC;QAC/C,IAAI,CAAC,KAAK,GAAG,eAAe,CAAC,MAAM,CAAC,CAAC;QACrC,IAAI,CAAC,kBAAkB,GAAG,qBAAqB,EAAE,CAAC;IACpD,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,aAAa,CAAC,KAAyB;QAC3C,sDAAsD;QACtD,IAAI,IAAI,CAAC,MAAM,CAAC,wBAAwB,EAAE,CAAC;YACzC,MAAM,IAAI,CAAC,uBAAuB,CAAC,KAAK,CAAC,CAAC;QAC5C,CAAC;QAED,OAAO,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IAClC,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,eAAe,CACnB,SAAiB,EACjB,OAMC;QAED,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;QACpD,MAAM,QAAQ,GAAa,EAAE,CAAC;QAE9B,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;YAClB,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,OAAO,EAAE,MAAM,CAAC,OAAO;gBACvB,MAAM,EAAE,MAAM,CAAC,MAAM;aACtB,CAAC;QACJ,CAAC;QAED,MAAM,OAAO,GAAG,MAAM,CAAC,OAAQ,CAAC;QAEhC,2BAA2B;QAC3B,IAAI,OAAO,EAAE,eAAe,KAAK,KAAK,EAAE,CAAC;YACvC,MAAM,eAAe,GAAG,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,OAAO,CAAC,cAAc,CAAC,OAAO,EAAE,CAAC,GAAG,IAAI,CAAC;YAC/E,IAAI,eAAe,GAAG,IAAI,CAAC,MAAM,CAAC,iBAAiB,EAAE,CAAC;gBACpD,OAAO;oBACL,KAAK,EAAE,KAAK;oBACZ,OAAO;oBACP,MAAM,EAAE,+BAA+B;oBACvC,cAAc,EAAE,IAAI;iBACrB,CAAC;YACJ,CAAC;QACH,CAAC;QAED,uDAAuD;QACvD,IAAI,OAAO,EAAE,SAAS,IAAI,OAAO,CAAC,SAAS,KAAK,OAAO,CAAC,SAAS,EAAE,CAAC;YAClE,QAAQ,CAAC,IAAI,CAAC,2BAA2B,OAAO,CAAC,SAAS,OAAO,OAAO,CAAC,SAAS,EAAE,CAAC,CAAC;YACtF,MAAM,CAAC,IAAI,CACT;gBACE,SAAS;gBACT,MAAM,EAAE,OAAO,CAAC,MAAM;gBACtB,UAAU,EAAE,OAAO,CAAC,SAAS;gBAC7B,SAAS,EAAE,OAAO,CAAC,SAAS;aAC7B,EACD,4BAA4B,CAC7B,CAAC;QACJ,CAAC;QAED,qEAAqE;QACrE,IAAI,qBAA8D,CAAC;QACnE,IACE,IAAI,CAAC,MAAM,CAAC,kBAAkB;YAC9B,OAAO,CAAC,iBAAiB;YACzB,OAAO,EAAE,cAAc,EACvB,CAAC;YACD,qBAAqB,GAAG,IAAI,CAAC,kBAAkB,CAAC,mBAAmB,CACjE,OAAO,CAAC,cAAc,EACtB,OAAO,CAAC,iBAAiB,EACzB,SAAS,CACV,CAAC;YAEF,IAAI,CAAC,qBAAqB,CAAC,KAAK,EAAE,CAAC;gBACjC,IAAI,qBAAqB,CAAC,WAAW,EAAE,CAAC;oBACtC,OAAO;wBACL,KAAK,EAAE,KAAK;wBACZ,OAAO;wBACP,MAAM,EAAE,4DAA4D;wBACpE,qBAAqB;qBACtB,CAAC;gBACJ,CAAC;qBAAM,CAAC;oBACN,QAAQ,CAAC,IAAI,CAAC,gEAAgE,CAAC,CAAC;gBAClF,CAAC;YACH,CAAC;QACH,CAAC;QAED,8DAA8D;QAC9D,IAAI,OAAO,EAAE,SAAS,IAAI,IAAI,CAAC,MAAM,CAAC,yBAAyB,EAAE,CAAC;YAChE,MAAM,cAAc,GAAG,IAAI,CAAC,uBAAuB,CAAC,OAAO,EAAE,OAAO,CAAC,SAAS,CAAC,CAAC;YAChF,IAAI,cAAc,EAAE,CAAC;gBACnB,OAAO;oBACL,KAAK,EAAE,IAAI;oBACX,OAAO;oBACP,cAAc,EAAE,IAAI;oBACpB,MAAM,EAAE,cAAc,OAAO,CAAC,SAAS,kCAAkC;oBACzE,gBAAgB,EAAE,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,SAAS;oBAC5D,qBAAqB;iBACtB,CAAC;YACJ,CAAC;QACH,CAAC;QAED,OAAO;YACL,KAAK,EAAE,IAAI;YACX,OAAO;YACP,gBAAgB,EAAE,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,SAAS;YAC5D,qBAAqB;SACtB,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,aAAa,CACjB,SAAiB,EACjB,MAAc,EACd,SAAkB;QAElB,OAAO,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,SAAS,EAAE,MAAM,EAAE,SAAS,CAAC,CAAC;IACzD,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,qBAAqB,CACzB,MAAc,EACd,MAAc,EACd,SAAkB,EAClB,oBAA6B;QAE7B,OAAO,IAAI,CAAC,KAAK,CAAC,gBAAgB,CAAC,MAAM,EAAE,MAAM,EAAE,SAAS,EAAE,oBAAoB,CAAC,CAAC;IACtF,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,mBAAmB,CACvB,MAAc,EACd,gBAAwB,EACxB,SAAiB,yCAAyC;QAE1D,OAAO,IAAI,CAAC,KAAK,CAAC,gBAAgB,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,gBAAgB,CAAC,CAAC;IAC/E,CAAC;IAED;;;;;;;;;;;;;;;OAeG;IACH,KAAK,CAAC,iBAAiB,CACrB,YAAoB,EACpB,UAAoC,EAAE;QAEtC,sBAAsB;QACtB,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;QACtD,IAAI,CAAC,UAAU,IAAI,UAAU,CAAC,OAAO,EAAE,CAAC;YACtC,MAAM,CAAC,IAAI,CACT,EAAE,YAAY,EAAE,MAAM,EAAE,OAAO,CAAC,MAAM,EAAE,EACxC,sEAAsE,CACvE,CAAC;YACF,OAAO,IAAI,CAAC;QACd,CAAC;QAED,gDAAgD;QAChD,MAAM,eAAe,GAAuB;YAC1C,MAAM,EAAE,UAAU,CAAC,MAAM;YACzB,QAAQ,EAAE,UAAU,CAAC,QAAQ;YAC7B,SAAS,EAAE,OAAO,CAAC,SAAS,IAAI,UAAU,CAAC,SAAS;YACpD,SAAS,EAAE,OAAO,CAAC,SAAS,IAAI,UAAU,CAAC,SAAS;YACpD,iBAAiB,EAAE,OAAO,CAAC,iBAAiB,IAAI,UAAU,CAAC,iBAAiB;YAC5E,QAAQ,EAAE;gBACR,GAAG,UAAU,CAAC,QAAQ;gBACtB,GAAG,OAAO,CAAC,QAAQ;gBACnB,eAAe,EAAE,YAAY;gBAC7B,aAAa,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;gBACvC,kBAAkB,EAAE,OAAO,CAAC,MAAM;aACnC;SACF,CAAC;QAEF,yBAAyB;QACzB,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,eAAe,CAAC,CAAC;QAE5D,yBAAyB;QACzB,MAAM,IAAI,CAAC,KAAK,CAAC,MAAM,CACrB,YAAY,EACZ,OAAO,CAAC,MAAM,IAAI,qBAAqB,EACvC,QAAQ,CACT,CAAC;QAEF,MAAM,CAAC,IAAI,CACT;YACE,YAAY;YACZ,YAAY,EAAE,UAAU,CAAC,EAAE;YAC3B,MAAM,EAAE,UAAU,CAAC,MAAM;YACzB,MAAM,EAAE,OAAO,CAAC,MAAM;SACvB,EACD,kCAAkC,CACnC,CAAC;QAEF,OAAO,UAAU,CAAC;IACpB,CAAC;IAED;;;;;;;;OAQG;IACH,KAAK,CAAC,qBAAqB,CACzB,SAAiB,EACjB,OAAuB;QAEvB,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QAChD,IAAI,CAAC,OAAO,IAAI,OAAO,CAAC,OAAO,EAAE,CAAC;YAChC,OAAO,IAAI,CAAC;QACd,CAAC;QAED,MAAM,iBAAiB,GAAG,IAAI,CAAC,kBAAkB,CAAC,kBAAkB,CAAC,OAAO,CAAC,CAAC;QAE9E,kCAAkC;QAClC,wDAAwD;QACxD,2EAA2E;QAC3E,OAAO,CAAC,iBAAiB,GAAG,iBAAiB,CAAC,WAAW,CAAC;QAC1D,OAAO,CAAC,QAAQ,GAAG;YACjB,GAAG,OAAO,CAAC,QAAQ;YACnB,qBAAqB,EAAE,iBAAiB,CAAC,cAAc;YACvD,4BAA4B,EAAE,iBAAiB,CAAC,iBAAiB;SAClE,CAAC;QAEF,2BAA2B;QAC3B,MAAM,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;QAElC,MAAM,CAAC,KAAK,CACV;YACE,SAAS;YACT,iBAAiB,EAAE,iBAAiB,CAAC,WAAW,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC,CAAC;YAChE,cAAc,EAAE,iBAAiB,CAAC,cAAc;SACjD,EACD,yBAAyB,CAC1B,CAAC;QAEF,OAAO,iBAAiB,CAAC,WAAW,CAAC;IACvC,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,gBAAgB,CACpB,MAAc,EACd,gBAAyB;QAEzB,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,sBAAsB,EAAE,CAAC;YACxC,OAAO,EAAE,YAAY,EAAE,CAAC,EAAE,CAAC;QAC7B,CAAC;QAED,MAAM,YAAY,GAAG,MAAM,IAAI,CAAC,qBAAqB,CACnD,MAAM,EACN,kBAAkB,EAClB,QAAQ,EACR,gBAAgB,CACjB,CAAC;QAEF,MAAM,CAAC,IAAI,CACT,EAAE,MAAM,EAAE,YAAY,EAAE,WAAW,EAAE,gBAAgB,EAAE,EACvD,wCAAwC,CACzC,CAAC;QAEF,OAAO,EAAE,YAAY,EAAE,CAAC;IAC1B,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,aAAa,CACjB,MAAc,EACd,gBAAyB;QAEzB,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,mBAAmB,EAAE,CAAC;YACrC,OAAO,EAAE,YAAY,EAAE,CAAC,EAAE,CAAC;QAC7B,CAAC;QAED,MAAM,YAAY,GAAG,MAAM,IAAI,CAAC,qBAAqB,CACnD,MAAM,EACN,eAAe,EACf,QAAQ,EACR,gBAAgB,CACjB,CAAC;QAEF,MAAM,CAAC,IAAI,CACT,EAAE,MAAM,EAAE,YAAY,EAAE,WAAW,EAAE,gBAAgB,EAAE,EACvD,qCAAqC,CACtC,CAAC;QAEF,OAAO,EAAE,YAAY,EAAE,CAAC;IAC1B,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,kBAAkB,CACtB,MAAc,EACd,YAAoB,EACpB,OAAgB;QAEhB,MAAM,MAAM,GAAG,sBAAsB,YAAY,GAAG,OAAO,CAAC,CAAC,CAAC,MAAM,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC;QACrF,MAAM,YAAY,GAAG,MAAM,IAAI,CAAC,qBAAqB,CAAC,MAAM,EAAE,MAAM,EAAE,iBAAiB,CAAC,CAAC;QAEzF,MAAM,CAAC,IAAI,CACT,EAAE,MAAM,EAAE,YAAY,EAAE,YAAY,EAAE,OAAO,EAAE,EAC/C,+CAA+C,CAChD,CAAC;QAEF,OAAO,EAAE,YAAY,EAAE,CAAC;IAC1B,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,eAAe,CAAC,MAAc;QAClC,OAAO,IAAI,CAAC,KAAK,CAAC,kBAAkB,CAAC,MAAM,CAAC,CAAC;IAC/C,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,mBAAmB,CAAC,MAAc;QACtC,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,kBAAkB,CAAC,MAAM,CAAC,CAAC;QAC7D,OAAO,QAAQ,CAAC,MAAM,CAAC;IACzB,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,sBAAsB,CAAC,SAAiB;QAC5C,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QAChD,IAAI,CAAC,OAAO,IAAI,OAAO,CAAC,OAAO,EAAE,CAAC;YAChC,OAAO,KAAK,CAAC;QACf,CAAC;QAED,yCAAyC;QACzC,OAAO,CAAC,QAAQ,GAAG;YACjB,GAAG,OAAO,CAAC,QAAQ;YACnB,YAAY,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;SACvC,CAAC;QAEF,iCAAiC;QACjC,MAAM,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;QAElC,MAAM,CAAC,IAAI,CACT,EAAE,SAAS,EAAE,MAAM,EAAE,OAAO,CAAC,MAAM,EAAE,EACrC,4BAA4B,CAC7B,CAAC;QAEF,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;OAEG;IACK,uBAAuB,CAC7B,OAAgB,EAChB,SAA6B;QAE7B,qCAAqC;QACrC,MAAM,YAAY,GAAG,OAAO,CAAC,QAAQ,EAAE,CAAC,cAAc,CAAuB,CAAC;QAC9E,MAAM,YAAY,GAAG,YAAY;YAC/B,CAAC,CAAC,IAAI,IAAI,CAAC,YAAY,CAAC,CAAC,OAAO,EAAE;YAClC,CAAC,CAAC,OAAO,CAAC,SAAS,CAAC,OAAO,EAAE,CAAC;QAEhC,MAAM,gBAAgB,GAAG,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,YAAY,CAAC,GAAG,IAAI,CAAC;QAE5D,8DAA8D;QAC9D,IAAI,gBAAgB,GAAG,IAAI,CAAC,MAAM,CAAC,wBAAwB,EAAE,CAAC;YAC5D,OAAO,KAAK,CAAC;QACf,CAAC;QAED,8CAA8C;QAC9C,MAAM,mBAAmB,GAAyB;YAChD,iBAAiB;YACjB,gBAAgB;YAChB,YAAY;SACb,CAAC;QAEF,OAAO,mBAAmB,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;IACjD,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,uBAAuB,CAAC,KAAyB;QAC7D,MAAM,gBAAgB,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,kBAAkB,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;QAE3E,KAAK,MAAM,OAAO,IAAI,gBAAgB,EAAE,CAAC;YACvC,4DAA4D;YAC5D,mEAAmE;YACnE,IAAI,OAAO,CAAC,SAAS,KAAK,KAAK,CAAC,SAAS,EAAE,CAAC;gBAC1C,MAAM,qBAAqB,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,OAAO,CAAC,cAAc,CAAC,OAAO,EAAE,CAAC;gBAE5E,kEAAkE;gBAClE,IAAI,qBAAqB,GAAG,MAAM,EAAE,CAAC,CAAC,YAAY;oBAChD,MAAM,CAAC,IAAI,CACT;wBACE,MAAM,EAAE,KAAK,CAAC,MAAM;wBACpB,iBAAiB,EAAE,OAAO,CAAC,SAAS;wBACpC,YAAY,EAAE,KAAK,CAAC,SAAS;wBAC7B,iBAAiB,EAAE,OAAO,CAAC,EAAE;qBAC9B,EACD,+CAA+C,CAChD,CAAC;gBACJ,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;CACF;AAED;;GAEG;AACH,IAAI,cAAc,GAA0B,IAAI,CAAC;AAEjD;;GAEG;AACH,MAAM,UAAU,iBAAiB,CAAC,MAAsC;IACtE,IAAI,CAAC,cAAc,EAAE,CAAC;QACpB,cAAc,GAAG,IAAI,cAAc,CAAC,MAAM,CAAC,CAAC;IAC9C,CAAC;IACD,OAAO,cAAc,CAAC;AACxB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,oBAAoB,CAAC,MAAsC;IACzE,OAAO,IAAI,cAAc,CAAC,MAAM,CAAC,CAAC;AACpC,CAAC;AAOD,OAAO,EAAE,yBAAyB,EAAE,MAAM,0BAA0B,CAAC"}

package/dist/security/session-store.d.ts

@@ -0,0 +1,205 @@
+/**
+ * Session Store - Redis-backed session persistence
+ *
+ * Provides secure session storage with support for:
+ * - Session creation and retrieval
+ * - Session revocation with immediate propagation across instances
+ * - Automatic expiration
+ * - Device tracking
+ * - Pub/sub for instant revocation notification
+ * - Graceful handling of Redis unavailability
+ *
+ * @packageDocumentation
+ */
+import { SecurityAuditLogger } from '../audit/security-logger.js';
+/**
+ * Session data structure
+ */
+export interface Session {
+    /** Unique session identifier */
+    id: string;
+    /** User ID this session belongs to */
+    userId: string;
+    /** Tenant ID for multi-tenant isolation */
+    tenantId: string;
+    /** Device fingerprint for identification */
+    deviceFingerprint?: string;
+    /** IP address at session creation */
+    ipAddress: string;
+    /** User agent string */
+    userAgent: string;
+    /** When the session was created */
+    createdAt: Date;
+    /** Last activity timestamp */
+    lastActivityAt: Date;
+    /** When the session expires */
+    expiresAt: Date;
+    /** Whether the session has been revoked */
+    revoked: boolean;
+    /** When the session was revoked */
+    revokedAt?: Date;
+    /** Reason for revocation */
+    revokedReason?: string;
+    /** Who revoked the session (user ID or 'system') */
+    revokedBy?: string;
+    /** Additional metadata */
+    metadata?: Record<string, unknown>;
+}
+/**
+ * Session creation input
+ */
+export interface CreateSessionInput {
+    userId: string;
+    tenantId: string;
+    ipAddress: string;
+    userAgent: string;
+    deviceFingerprint?: string;
+    ttlSeconds?: number;
+    metadata?: Record<string, unknown>;
+}
+/**
+ * Session store configuration
+ */
+export interface SessionStoreConfig {
+    /** Redis key prefix */
+    keyPrefix: string;
+    /** Default session TTL in seconds */
+    defaultTTL: number;
+    /** Maximum sessions per user */
+    maxSessionsPerUser: number;
+    /** Whether to track session activity */
+    trackActivity: boolean;
+}
+/**
+ * Redis-backed session store with pub/sub revocation propagation
+ */
+export declare class SessionStore {
+    private config;
+    private redis;
+    private subscriber;
+    private readonly instanceId;
+    private isSubscribed;
+    private cleanupInterval;
+    private securityLogger;
+    constructor(config?: Partial<SessionStoreConfig>, securityLogger?: SecurityAuditLogger);
+    /**
+     * Get Redis client, initializing if needed
+     */
+    private getRedis;
+    /**
+     * Subscribe to session revocation events for cross-instance propagation
+     */
+    private subscribeToRevocations;
+    /**
+     * Publish a session revocation event to other instances
+     */
+    private publishRevocation;
+    /**
+     * Add a session ID to the local revoked cache
+     */
+    private addToRevokedCache;
+    /**
+     * Check if a session is in the local revoked cache
+     */
+    private isInRevokedCache;
+    /**
+     * Start cleanup interval for revoked sessions cache
+     */
+    private startCacheCleanup;
+    /**
+     * Generate session key for Redis
+     */
+    private sessionKey;
+    /**
+     * Generate user sessions index key
+     */
+    private userSessionsKey;
+    /**
+     * Create a new session
+     */
+    create(input: CreateSessionInput): Promise<Session>;
+    /**
+     * Get a session by ID
+     */
+    get(sessionId: string): Promise<Session | null>;
+    /**
+     * Update session activity timestamp
+     */
+    touch(sessionId: string): Promise<boolean>;
+    /**
+     * Revoke a session and notify other instances immediately
+     */
+    revoke(sessionId: string, reason: string, revokedBy?: string): Promise<boolean>;
+    /**
+     * Revoke all sessions for a user
+     */
+    revokeAllForUser(userId: string, reason: string, revokedBy?: string, exceptSessionId?: string): Promise<number>;
+    /**
+     * Get all session IDs for a user
+     */
+    getSessionIdsForUser(userId: string): Promise<string[]>;
+    /**
+     * Get all active sessions for a user
+     */
+    getSessionsForUser(userId: string): Promise<Session[]>;
+    /**
+     * Delete a session permanently
+     */
+    delete(sessionId: string): Promise<boolean>;
+    /**
+     * Validate a session is active and not revoked
+     *
+     * First checks the local revoked cache for immediate revocation detection,
+     * then validates against Redis for the full session state.
+     */
+    validate(sessionId: string): Promise<{
+        valid: boolean;
+        session?: Session;
+        reason?: string;
+    }>;
+    /**
+     * Enforce maximum sessions per user
+     */
+    private enforceSessionLimit;
+    /**
+     * Serialize session for storage
+     */
+    private serializeSession;
+    /**
+     * Deserialize session from storage
+     */
+    private deserializeSession;
+    /**
+     * Stop the session store and cleanup resources
+     */
+    stop(): Promise<void>;
+    /**
+     * Check if Redis is healthy
+     */
+    checkHealth(): Promise<{
+        healthy: boolean;
+        latencyMs?: number;
+        error?: string;
+    }>;
+    /**
+     * Get store statistics
+     */
+    getStats(): {
+        revokedCacheSize: number;
+        instanceId: string;
+        isSubscribed: boolean;
+    };
+}
+/**
+ * Get the session store singleton
+ */
+export declare function getSessionStore(config?: Partial<SessionStoreConfig>): SessionStore;
+/**
+ * Create a new session store instance (for testing)
+ */
+export declare function createSessionStore(config?: Partial<SessionStoreConfig>, securityLogger?: SecurityAuditLogger): SessionStore;
+/**
+ * Reset the session store singleton (for testing)
+ */
+export declare function resetSessionStore(): Promise<void>;
+//# sourceMappingURL=session-store.d.ts.map

package/dist/security/session-store.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"session-store.d.ts","sourceRoot":"","sources":["../../src/security/session-store.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAMH,OAAO,EACL,mBAAmB,EAEpB,MAAM,6BAA6B,CAAC;AAyErC;;GAEG;AACH,MAAM,WAAW,OAAO;IACtB,gCAAgC;IAChC,EAAE,EAAE,MAAM,CAAC;IACX,sCAAsC;IACtC,MAAM,EAAE,MAAM,CAAC;IACf,2CAA2C;IAC3C,QAAQ,EAAE,MAAM,CAAC;IACjB,4CAA4C;IAC5C,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,qCAAqC;IACrC,SAAS,EAAE,MAAM,CAAC;IAClB,wBAAwB;IACxB,SAAS,EAAE,MAAM,CAAC;IAClB,mCAAmC;IACnC,SAAS,EAAE,IAAI,CAAC;IAChB,8BAA8B;IAC9B,cAAc,EAAE,IAAI,CAAC;IACrB,+BAA+B;IAC/B,SAAS,EAAE,IAAI,CAAC;IAChB,2CAA2C;IAC3C,OAAO,EAAE,OAAO,CAAC;IACjB,mCAAmC;IACnC,SAAS,CAAC,EAAE,IAAI,CAAC;IACjB,4BAA4B;IAC5B,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,oDAAoD;IACpD,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,0BAA0B;IAC1B,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACpC;AAED;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACpC;AAED;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC,uBAAuB;IACvB,SAAS,EAAE,MAAM,CAAC;IAClB,qCAAqC;IACrC,UAAU,EAAE,MAAM,CAAC;IACnB,gCAAgC;IAChC,kBAAkB,EAAE,MAAM,CAAC;IAC3B,wCAAwC;IACxC,aAAa,EAAE,OAAO,CAAC;CACxB;AA2BD;;GAEG;AACH,qBAAa,YAAY;IACvB,OAAO,CAAC,MAAM,CAAqB;IACnC,OAAO,CAAC,KAAK,CAAsB;IACnC,OAAO,CAAC,UAAU,CAAsB;IACxC,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAS;IACpC,OAAO,CAAC,YAAY,CAAkB;IACtC,OAAO,CAAC,eAAe,CAA+B;IACtD,OAAO,CAAC,cAAc,CAAsB;gBAEhC,MAAM,GAAE,OAAO,CAAC,kBAAkB,CAAM,EAAE,cAAc,CAAC,EAAE,mBAAmB;IAS1F;;OAEG;YACW,QAAQ;IAUtB;;OAEG;YACW,sBAAsB;IA8DpC;;OAEG;YACW,iBAAiB;IAwB/B;;OAEG;IACH,OAAO,CAAC,iBAAiB;IAYzB;;OAEG;IACH,OAAO,CAAC,gBAAgB;IAcxB;;OAEG;IACH,OAAO,CAAC,iBAAiB;IAezB;;OAEG;IACH,OAAO,CAAC,UAAU;IAIlB;;OAEG;IACH,OAAO,CAAC,eAAe;IAIvB;;OAEG;IACG,MAAM,CAAC,KAAK,EAAE,kBAAkB,GAAG,OAAO,CAAC,OAAO,CAAC;IAsDzD;;OAEG;IACG,GAAG,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,GAAG,IAAI,CAAC;IA+CrD;;OAEG;IACG,KAAK,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAuBhD;;OAEG;IACG,MAAM,CACV,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,SAAS,GAAE,MAAiB,GAC3B,OAAO,CAAC,OAAO,CAAC;IAgDnB;;OAEG;IACG,gBAAgB,CACpB,MAAM,EAAE,MAAM,EACd,MAAM,EAAE,MAAM,EACd,SAAS,GAAE,MAAiB,EAC5B,eAAe,CAAC,EAAE,MAAM,GACvB,OAAO,CAAC,MAAM,CAAC;IAgClB;;OAEG;IACG,oBAAoB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;IAoB7D;;OAEG;IACG,kBAAkB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,EAAE,CAAC;IAc5D;;OAEG;IACG,MAAM,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAejD;;;;;OAKG;IACG,QAAQ,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC;QACzC,KAAK,EAAE,OAAO,CAAC;QACf,OAAO,CAAC,EAAE,OAAO,CAAC;QAClB,MAAM,CAAC,EAAE,MAAM,CAAC;KACjB,CAAC;IA6DF;;OAEG;YACW,mBAAmB;IAwBjC;;OAEG;IACH,OAAO,CAAC,gBAAgB;IAUxB;;OAEG;IACH,OAAO,CAAC,kBAAkB;IAU1B;;OAEG;IACG,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC;IAgB3B;;OAEG;IACG,WAAW,IAAI,OAAO,CAAC;QAC3B,OAAO,EAAE,OAAO,CAAC;QACjB,SAAS,CAAC,EAAE,MAAM,CAAC;QACnB,KAAK,CAAC,EAAE,MAAM,CAAC;KAChB,CAAC;IAIF;;OAEG;IACH,QAAQ,IAAI;QACV,gBAAgB,EAAE,MAAM,CAAC;QACzB,UAAU,EAAE,MAAM,CAAC;QACnB,YAAY,EAAE,OAAO,CAAC;KACvB;CAOF;AAOD;;GAEG;AACH,wBAAgB,eAAe,CAAC,MAAM,CAAC,EAAE,OAAO,CAAC,kBAAkB,CAAC,GAAG,YAAY,CAKlF;AAED;;GAEG;AACH,wBAAgB,kBAAkB,CAChC,MAAM,CAAC,EAAE,OAAO,CAAC,kBAAkB,CAAC,EACpC,cAAc,CAAC,EAAE,mBAAmB,GACnC,YAAY,CAEd;AAED;;GAEG;AACH,wBAAsB,iBAAiB,IAAI,OAAO,CAAC,IAAI,CAAC,CAOvD"}