keryx 0.29.4 → 0.29.6

package/classes/Connection.ts

@@ -291,6 +291,28 @@ export class Connection<
     return api.session.update(this.session, data);
   }
 
+  /**
+   * Regenerate the session ID to prevent session fixation attacks.
+   * Copies existing session data to a new key in Redis, deletes the old key,
+   * and updates this connection's IDs so the response sets a fresh cookie.
+   * Should be called after successful authentication.
+   *
+   * @returns The session data under the new ID.
+   * @throws {TypedError} With `ErrorType.CONNECTION_SESSION_NOT_FOUND` if no session exists.
+   */
+  async regenerateSession() {
+    await this.loadSession();
+
+    if (!this.session) {
+      throw new TypedError({
+        message: "Session not found",
+        type: ErrorType.CONNECTION_SESSION_NOT_FOUND,
+      });
+    }
+
+    return api.session.regenerate(this);
+  }
+
   /** Add a channel to this connection's subscription set. */
   subscribe(channel: string) {
     this.subscriptions.add(channel);

package/config/server/web.ts

@@ -66,6 +66,7 @@ export const configServerWeb = {
       "strict-origin-when-cross-origin",
     ),
   } as Record<string, string>,
+  maxBodySize: await loadFromEnvIfSet("WEB_MAX_BODY_SIZE", 10 * 1024 * 1024),
   compression: {
     enabled: await loadFromEnvIfSet("WEB_COMPRESSION_ENABLED", true),
     threshold: await loadFromEnvIfSet("WEB_COMPRESSION_THRESHOLD", 1024),

package/initializers/mcp.ts

@@ -61,7 +61,10 @@ export class McpInitializer extends Initializer {
     const mcpServers: McpServer[] = [];
     const transports = new Map<
       string,
-      WebStandardStreamableHTTPServerTransport
+      {
+        transport: WebStandardStreamableHTTPServerTransport;
+        clientId: string;
+      }
     >();
 
     function sendNotification(payload: PubSubMessage) {
@@ -207,11 +210,12 @@ export class McpInitializer extends Initializer {
         const mcpServer = createMcpServer();
         mcpServers.push(mcpServer);
 
+        const sessionClientId = authInfo.clientId;
         const transport = new WebStandardStreamableHTTPServerTransport({
           sessionIdGenerator: () => randomUUID(),
           enableJsonResponse: true,
           onsessioninitialized: async (sid) => {
-            transports.set(sid, transport);
+            transports.set(sid, { transport, clientId: sessionClientId });
             for (const hook of api.hooks.mcp.onConnectHooks) {
               await hook(sid);
             }
@@ -244,8 +248,8 @@ export class McpInitializer extends Initializer {
       }
 
       if (sessionId) {
-        const transport = transports.get(sessionId);
-        if (!transport) {
+        const session = transports.get(sessionId);
+        if (!session) {
           return mcpJsonResponse(
             { error: "Session not found" },
             404,
@@ -253,10 +257,23 @@ export class McpInitializer extends Initializer {
           );
         }
 
+        if (session.clientId !== authInfo.clientId) {
+          return mcpJsonResponse(
+            { error: "Token does not match session" },
+            403,
+            corsHeaders,
+          );
+        }
+
         for (const hook of api.hooks.mcp.onMessageHooks) {
           await hook(sessionId);
         }
-        return handleTransportRequest(transport, req, authInfo, corsHeaders);
+        return handleTransportRequest(
+          session.transport,
+          req,
+          authInfo,
+          corsHeaders,
+        );
       }
 
       // GET/DELETE without session ID
@@ -276,7 +293,7 @@ export class McpInitializer extends Initializer {
     if (!config.server.mcp.enabled) return;
 
     // Close all transports
-    for (const transport of api.mcp.transports.values()) {
+    for (const { transport } of api.mcp.transports.values()) {
       try {
         await transport.close();
       } catch {

package/initializers/resque.ts

@@ -193,8 +193,10 @@ export class Resque extends Initializer {
       worker.on("end", () => {
         logger.info(`[resque:${worker.name}] ended`);
       });
-      worker.on("cleaning_worker", () => {
-        logger.debug(`[resque:${worker.name}] cleaning worker`);
+      worker.on("cleaning_worker", (workerName, pid) => {
+        logger.debug(
+          `[resque:${worker.name}] cleaning worker, ${workerName}, ${pid}`,
+        );
       });
       worker.on("poll", (queue) => {
         logger.debug(`[resque:${worker.name}] polling, ${queue}`);

package/initializers/session.ts

@@ -1,3 +1,4 @@
+import { randomUUID } from "crypto";
 import { api, Connection } from "../api";
 import { Initializer } from "../classes/Initializer";
 import { config } from "../config";
@@ -75,6 +76,46 @@ async function update<T extends Record<string, any>>(
   return session.data;
 }
 
+/**
+ * Regenerate the session ID for a connection to prevent session fixation attacks.
+ * Creates a new session with a fresh UUID, copies existing data, deletes the old
+ * session key from Redis, and updates the connection's IDs so the next response
+ * sets a new cookie value.
+ *
+ * @param connection - The connection whose session to regenerate.
+ * @returns The session data under the new ID, or `null` if no session existed.
+ */
+async function regenerate<T extends Record<string, any>>(
+  connection: Connection,
+) {
+  const oldSessionId = connection.sessionId;
+  const oldKey = getKey(oldSessionId);
+  const newSessionId = randomUUID();
+  const newKey = getKey(newSessionId);
+
+  const raw = await api.redis.redis.get(oldKey);
+  if (!raw) return null;
+
+  const sessionData = JSON.parse(raw) as SessionData<T>;
+  sessionData.id = newSessionId;
+
+  await api.redis.redis.set(newKey, JSON.stringify(sessionData));
+  await api.redis.redis.expire(newKey, config.session.ttl);
+  await api.redis.redis.del(oldKey);
+
+  // Update the connection map when connection.id tracks the session cookie
+  const oldId = connection.id;
+  if (oldId === oldSessionId) {
+    api.connections.connections.delete(oldId);
+    connection.id = newSessionId;
+    api.connections.connections.set(newSessionId, connection);
+  }
+  connection.sessionId = newSessionId;
+  connection.session = sessionData as SessionData<T>;
+
+  return connection.session;
+}
+
 /**
  * Delete a session from Redis.
  *
@@ -104,6 +145,7 @@ export class Session extends Initializer {
       load,
       create,
       update,
+      regenerate,
       destroy,
     };
   }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "keryx",
-  "version": "0.29.4",
+  "version": "0.29.6",
   "module": "index.ts",
   "type": "module",
   "license": "MIT",

package/servers/web.ts

@@ -17,7 +17,11 @@ import {
   buildErrorPayload,
   buildResponse,
 } from "../util/webResponse";
-import { determineActionName, parseRequestParams } from "../util/webRouting";
+import {
+  checkBodySize,
+  determineActionName,
+  parseRequestParams,
+} from "../util/webRouting";
 import {
   handleWebsocketAction,
   handleWebsocketSubscribe,
@@ -409,14 +413,16 @@ export class WebServer extends Server<ReturnType<typeof Bun.serve>> {
       await hook(connection, message);
     }
 
+    let messageId: unknown;
     try {
       const parsedMessage = JSON.parse(message.toString());
+      messageId = parsedMessage["messageId"];
       if (parsedMessage["messageType"] === "action") {
-        handleWebsocketAction(connection, ws, parsedMessage);
+        await handleWebsocketAction(connection, ws, parsedMessage);
       } else if (parsedMessage["messageType"] === "subscribe") {
-        handleWebsocketSubscribe(connection, ws, parsedMessage);
+        await handleWebsocketSubscribe(connection, ws, parsedMessage);
       } else if (parsedMessage["messageType"] === "unsubscribe") {
-        handleWebsocketUnsubscribe(connection, ws, parsedMessage);
+        await handleWebsocketUnsubscribe(connection, ws, parsedMessage);
       } else {
         throw new TypedError({
           message: `messageType either missing or unknown`,
@@ -426,6 +432,7 @@ export class WebServer extends Server<ReturnType<typeof Bun.serve>> {
     } catch (e) {
       ws.send(
         JSON.stringify({
+          messageId,
           error: buildErrorPayload(
             new TypedError({
               message: `${e}`,
@@ -508,13 +515,38 @@ export class WebServer extends Server<ReturnType<typeof Bun.serve>> {
       return { response: buildResponse(connection, {}, 200, requestOrigin) };
     }
 
+    // Reject oversized request bodies before reading them
+    try {
+      checkBodySize(req);
+    } catch (e) {
+      connection.destroy();
+      if (e instanceof TypedError) {
+        return {
+          response: buildError(connection, e, 413, requestOrigin),
+        };
+      }
+      throw e;
+    }
+
     const { actionName, pathParams } = await determineActionName(
       url,
       httpMethod,
     );
     if (!actionName) errorStatusCode = 404;
 
-    const params = await parseRequestParams(req, url, pathParams ?? undefined);
+    let params: Record<string, unknown>;
+    try {
+      params = await parseRequestParams(req, url, pathParams ?? undefined);
+    } catch (e) {
+      if (
+        e instanceof TypedError &&
+        e.message.startsWith("Payload Too Large")
+      ) {
+        connection.destroy();
+        return { response: buildError(connection, e, 413, requestOrigin) };
+      }
+      throw e;
+    }
 
     const { response, error } = await connection.act(
       actionName!,

package/templates/scaffold/actions-session.ts.mustache

@@ -61,6 +61,7 @@ export class SessionCreate implements Action {
     }
 
     await connection.updateSession({ userId: user.id });
+    await connection.regenerateSession();
 
     return {
       user: serializeUser(user),

package/util/webRouting.ts

@@ -34,6 +34,84 @@ export async function determineActionName(
   return { actionName: match.actionName, pathParams: match.pathParams };
 }
 
+/**
+ * Reject requests whose body exceeds {@link config.server.web.maxBodySize}
+ * based on the `Content-Length` header.
+ *
+ * This is a fast, zero-I/O pre-flight check. Requests that declare a body
+ * size above the limit are rejected immediately with no body reading.
+ * Chunked/streaming requests without `Content-Length` bypass this check —
+ * they are caught by {@link readBodyWithLimit} during body parsing.
+ *
+ * @param req - The incoming HTTP request.
+ * @throws {TypedError} With type {@link ErrorType.CONNECTION_ACTION_RUN} and
+ *   an HTTP-friendly "Payload Too Large" message when the declared body
+ *   size exceeds the configured limit.
+ */
+export function checkBodySize(req: Request): void {
+  const maxBodySize = config.server.web.maxBodySize;
+  if (maxBodySize <= 0) return;
+  if (req.method === "GET" || req.method === "HEAD" || req.method === "OPTIONS")
+    return;
+
+  const contentLength = req.headers.get("content-length");
+  if (contentLength !== null) {
+    const length = parseInt(contentLength, 10);
+    if (!Number.isNaN(length) && length > maxBodySize) {
+      throw new TypedError({
+        message: `Payload Too Large — body of ${length} bytes exceeds the ${maxBodySize} byte limit`,
+        type: ErrorType.CONNECTION_ACTION_RUN,
+      });
+    }
+  }
+}
+
+/**
+ * Read a request body as bytes, aborting early if the configured
+ * {@link config.server.web.maxBodySize} is exceeded. Returns the body as a
+ * UTF-8 string. Unlike `req.text()`, this never allocates the full oversized
+ * payload — it reads the stream chunk-by-chunk and cancels as soon as the
+ * limit is breached.
+ *
+ * @param req - The incoming HTTP request (body must not already be consumed).
+ * @returns The body decoded as a UTF-8 string.
+ * @throws {TypedError} With type {@link ErrorType.CONNECTION_ACTION_RUN}
+ *   when the body exceeds the configured limit.
+ */
+async function readBodyWithLimit(req: Request): Promise<string> {
+  const maxBodySize = config.server.web.maxBodySize;
+
+  if (maxBodySize <= 0 || !req.body) {
+    return await req.text();
+  }
+
+  const reader = req.body.getReader();
+  const chunks: Uint8Array[] = [];
+  let received = 0;
+
+  while (true) {
+    const { done, value } = await reader.read();
+    if (done) break;
+    received += value.byteLength;
+    if (received > maxBodySize) {
+      reader.cancel();
+      throw new TypedError({
+        message: `Payload Too Large — body exceeds the ${maxBodySize} byte limit`,
+        type: ErrorType.CONNECTION_ACTION_RUN,
+      });
+    }
+    chunks.push(value);
+  }
+
+  const merged = new Uint8Array(received);
+  let offset = 0;
+  for (const chunk of chunks) {
+    merged.set(chunk, offset);
+    offset += chunk.byteLength;
+  }
+  return new TextDecoder().decode(merged);
+}
+
 /**
  * Parse request parameters from path params, request body (JSON or form-data),
  * and query string into a single plain object.
@@ -68,12 +146,16 @@ export async function parseRequestParams(
     req.headers.get("content-type") === "application/json"
   ) {
     try {
-      const bodyContent = (await req.json()) as Record<string, unknown>;
+      // Use streaming reader that aborts early if the body exceeds the
+      // configured limit — never allocates the full oversized payload.
+      const text = await readBodyWithLimit(req);
+      const bodyContent = JSON.parse(text) as Record<string, unknown>;
       // Merge JSON body directly — preserves types (objects, arrays, booleans, numbers)
       for (const [key, value] of Object.entries(bodyContent)) {
         params[key] = value;
       }
     } catch (e) {
+      if (e instanceof TypedError) throw e;
       throw new TypedError({
         message: `cannot parse request body: ${e}`,
         type: ErrorType.CONNECTION_ACTION_RUN,
@@ -87,6 +169,15 @@ export async function parseRequestParams(
         .get("content-type")
         ?.includes("application/x-www-form-urlencoded"))
   ) {
+    // For form data without a Content-Length header, stream-read the clone
+    // to enforce the body size limit before handing off to the FormData parser.
+    if (
+      config.server.web.maxBodySize > 0 &&
+      !req.headers.get("content-length")
+    ) {
+      await readBodyWithLimit(req.clone() as Request);
+    }
+
     const f = await req.formData();
     f.forEach((value, key) => {
       if (params[key] !== undefined) {