social-reporting-tool/v2/server/auth/session.ts

// Lifted from V1 agents/social-listening/dashboard/server.ts:75-92.
// V2 session payload is richer: carries user_id + active_team_id (not just username).
import { createHmac, randomBytes } from 'node:crypto';
import type { IncomingMessage, ServerResponse } from 'node:http';
import { envStr, IS_PRODUCTION } from '../lib/env.js';
import { parseCookies } from '../lib/http.js';

export const SESSION_MAX_AGE_SEC = 60 * 60 * 24; // 24h
const SECRET = envStr('SESSION_SECRET') || randomBytes(32).toString('hex');
export const COOKIE_NAME = 'sl_session_v2';

export interface SessionData {
  user_id: string;
  email: string;
  active_team_id: string | null;
  auth_method: 'azure-sso' | 'password';
  exp: number;
}

if (IS_PRODUCTION && !envStr('SESSION_SECRET')) {
  throw new Error('SESSION_SECRET must be set in production');
}

function sign(payload: string): string {
  const sig = createHmac('sha256', SECRET).update(payload).digest('hex');
  return `${payload}.${sig}`;
}

export function issueSession(data: Omit<SessionData, 'exp'>): string {
  const payload = JSON.stringify({ ...data, exp: Date.now() + SESSION_MAX_AGE_SEC * 1000 });
  return sign(payload);
}

export function getSession(req: IncomingMessage): SessionData | null {
  const token = parseCookies(req)[COOKIE_NAME];
  if (!token) return null;
  const dot = token.lastIndexOf('.');
  if (dot === -1) return null;
  const payload = token.slice(0, dot);
  const sig = token.slice(dot + 1);
  const expected = createHmac('sha256', SECRET).update(payload).digest('hex');
  if (sig !== expected) return null;
  try {
    const data = JSON.parse(payload) as SessionData;
    if (Date.now() > data.exp) return null;
    return data;
  } catch { return null; }
}

export function setSessionCookie(res: ServerResponse, token: string): void {
  const secure = IS_PRODUCTION ? '; Secure' : '';
  res.setHeader(
    'Set-Cookie',
    `${COOKIE_NAME}=${token}; Path=/; HttpOnly; SameSite=Strict; Max-Age=${SESSION_MAX_AGE_SEC}${secure}`,
  );
}

export function clearSessionCookie(res: ServerResponse): void {
  res.setHeader('Set-Cookie', `${COOKIE_NAME}=; Path=/; HttpOnly; Max-Age=0`);
}