+34

src/lib/auth.test.ts

reviewed

··· 130 130 }; 131 131 expect(typeof result.count).toBe("number"); 132 132 }); 133 133 + 134 134 + test("enforces maximum session limit per user", () => { 135 135 + const userId = 999; 136 136 + 137 137 + // Clean up any existing sessions for this user 138 138 + db.run("DELETE FROM sessions WHERE user_id = ?", [userId]); 139 139 + 140 140 + // Create 11 sessions (limit is 10) 141 141 + const sessionIds: string[] = []; 142 142 + for (let i = 0; i < 11; i++) { 143 143 + const sessionId = createSession(userId, `192.168.1.${i}`, `Agent ${i}`); 144 144 + sessionIds.push(sessionId); 145 145 + } 146 146 + 147 147 + // Count total sessions for user 148 148 + const sessionCount = db 149 149 + .query<{ count: number }, [number]>( 150 150 + "SELECT COUNT(*) as count FROM sessions WHERE user_id = ?", 151 151 + ) 152 152 + .get(userId); 153 153 + 154 154 + expect(sessionCount?.count).toBe(10); 155 155 + 156 156 + // First session should be deleted (oldest) 157 157 + const firstSession = getSession(sessionIds[0]); 158 158 + expect(firstSession).toBeNull(); 159 159 + 160 160 + // Last session should exist (newest) 161 161 + const lastSession = getSession(sessionIds[10]); 162 162 + expect(lastSession).not.toBeNull(); 163 163 + 164 164 + // Cleanup 165 165 + db.run("DELETE FROM sessions WHERE user_id = ?", [userId]); 166 166 + });

+22

src/lib/auth.ts

reviewed

··· 1 1 import db from "../db/schema"; 2 2 3 3 const SESSION_DURATION = 7 * 24 * 60 * 60; // 7 days in seconds 4 4 + const MAX_SESSIONS_PER_USER = 10; // Maximum number of sessions per user 4 5 5 6 export type UserRole = "user" | "admin"; 6 7 ··· 30 31 ): string { 31 32 const sessionId = crypto.randomUUID(); 32 33 const expiresAt = Math.floor(Date.now() / 1000) + SESSION_DURATION; 34 34 + 35 35 + // Check current session count for user 36 36 + const sessionCount = db 37 37 + .query<{ count: number }, [number]>( 38 38 + "SELECT COUNT(*) as count FROM sessions WHERE user_id = ?", 39 39 + ) 40 40 + .get(userId); 41 41 + 42 42 + // If at or over limit, delete oldest session(s) 43 43 + if (sessionCount && sessionCount.count >= MAX_SESSIONS_PER_USER) { 44 44 + const sessionsToDelete = sessionCount.count - MAX_SESSIONS_PER_USER + 1; 45 45 + db.run( 46 46 + `DELETE FROM sessions WHERE id IN ( 47 47 + SELECT id FROM sessions 48 48 + WHERE user_id = ? 49 49 + ORDER BY created_at ASC 50 50 + LIMIT ? 51 51 + )`, 52 52 + [userId, sessionsToDelete], 53 53 + ); 54 54 + } 33 55 34 56 db.run( 35 57 "INSERT INTO sessions (id, user_id, ip_address, user_agent, expires_at) VALUES (?, ?, ?, ?, ?)",