feat: renewSessions to automatically renew Parse Sessions

Author: dblythy

spec/Auth.spec.js

@@ -94,6 +94,31 @@ describe('Auth', () => {
     });
   });
 
+  it('can use renewSessions', async () => {
+    await reconfigureServer({
+      renewSessions: true,
+    });
+
+    const user = new Parse.User();
+    await user.signUp({
+      username: 'hello',
+      password: 'password',
+    });
+    const session = await new Parse.Query(Parse.Session).first();
+    const updatedAt = new Date('2010');
+    const expiry = new Date();
+
+    await Parse.Server.database.update(
+      '_Session',
+      { objectId: session.id },
+      { updatedAt: Parse._encode(updatedAt), expiresAt: Parse._encode(expiry) }
+    );
+    await session.fetch();
+    await new Promise(resolve => setTimeout(resolve, 1000));
+    await session.fetch();
+    expect(session.get('expiresAt') > expiry).toBeTrue();
+  });
+
   it('should load auth without a config', async () => {
     const user = new Parse.User();
     await user.signUp({

spec/index.spec.js

@@ -367,6 +367,22 @@ describe('server', () => {
     });
   });
 
+  it('should throw when renewSessions is invalid', async () => {
+    await expectAsync(
+      reconfigureServer({
+        renewSessions: 'yolo',
+      })
+    ).toBeRejectedWith('renewSessions must be a boolean value');
+  });
+
+  it('should throw when revokeSessionOnPasswordReset is invalid', async () => {
+    await expectAsync(
+      reconfigureServer({
+        revokeSessionOnPasswordReset: 'yolo',
+      })
+    ).toBeRejectedWith('revokeSessionOnPasswordReset must be a boolean value');
+  });
+
   it('fails if the session length is not a number', done => {
     reconfigureServer({ sessionLength: 'test' })
       .then(done.fail)

src/Auth.js

@@ -66,6 +66,47 @@ function nobody(config) {
   return new Auth({ config, isMaster: false });
 }
 
+const throttle = {};
+const renewSessionIfNeeded = async ({ config, session, sessionToken }) => {
+  if (!config?.renewSessions) {
+    return;
+  }
+  clearTimeout(throttle[sessionToken]);
+  throttle[sessionToken] = setTimeout(async () => {
+    try {
+      if (!session) {
+        const RestQuery = require('./RestQuery');
+        const { results } = await new RestQuery(
+          config,
+          master(config),
+          '_Session',
+          { sessionToken },
+          { limit: 1 }
+        ).execute();
+        session = results[0];
+      }
+      const lastUpdated = new Date(session?.updatedAt);
+      const yesterday = new Date();
+      yesterday.setDate(yesterday.getDate() - 1);
+      if (lastUpdated > yesterday || !session) {
+        return;
+      }
+      await config.database.update(
+        '_Session',
+        { objectId: session.objectId },
+        {
+          expiresAt: Parse._encode(config.generateSessionExpiresAt()),
+          updatedAt: Parse._encode(new Date()),
+        }
+      );
+    } catch (e) {
+      if (e?.code !== Parse.Error.OBJECT_NOT_FOUND) {
+        logger.error('Could not update session expiry: ', e);
+      }
+    }
+  }, 500);
+};
+
 // Returns a promise that resolves to an Auth object
 const getAuthForSessionToken = async function ({
   config,
@@ -78,6 +119,7 @@ const getAuthForSessionToken = async function ({
     const userJSON = await cacheController.user.get(sessionToken);
     if (userJSON) {
       const cachedUser = Parse.Object.fromJSON(userJSON);
+      renewSessionIfNeeded({ config, sessionToken });
       return Promise.resolve(
         new Auth({
           config,
@@ -112,18 +154,20 @@ const getAuthForSessionToken = async function ({
   if (results.length !== 1 || !results[0]['user']) {
     throw new Parse.Error(Parse.Error.INVALID_SESSION_TOKEN, 'Invalid session token');
   }
+  const session = results[0];
   const now = new Date(),
-    expiresAt = results[0].expiresAt ? new Date(results[0].expiresAt.iso) : undefined;
+    expiresAt = session.expiresAt ? new Date(session.expiresAt.iso) : undefined;
   if (expiresAt < now) {
     throw new Parse.Error(Parse.Error.INVALID_SESSION_TOKEN, 'Session token is expired.');
   }
-  const obj = results[0]['user'];
+  const obj = session.user;
   delete obj.password;
   obj['className'] = '_User';
   obj['sessionToken'] = sessionToken;
   if (cacheController) {
     cacheController.user.put(sessionToken, obj);
   }
+  renewSessionIfNeeded({ config, session, sessionToken });
   const userObject = Parse.Object.fromJSON(obj);
   return new Auth({
     config,

src/Config.js

@@ -86,6 +86,7 @@ export class Config {
     logLevels,
     rateLimit,
     databaseOptions,
+    renewSessions,
   }) {
     if (masterKey === readOnlyMasterKey) {
       throw new Error('masterKey and readOnlyMasterKey should be different');
@@ -103,6 +104,10 @@ export class Config {
       throw 'revokeSessionOnPasswordReset must be a boolean value';
     }
 
+    if (typeof renewSessions !== 'boolean') {
+      throw 'renewSessions must be a boolean value';
+    }
+
     if (publicServerURL) {
       if (!publicServerURL.startsWith('http://') && !publicServerURL.startsWith('https://')) {
         throw 'publicServerURL should be a valid HTTPS URL starting with https://';

src/Options/Definitions.js

@@ -435,6 +435,12 @@ module.exports.ParseServerOptions = {
     env: 'PARSE_SERVER_READ_ONLY_MASTER_KEY',
     help: 'Read-only key, which has the same capabilities as MasterKey without writes',
   },
+  renewSessions: {
+    env: 'PARSE_SERVER_RENEW_SESSIONS',
+    help: 'Whether Parse Server should automatically extend a valid session by the sessionLength',
+    action: parsers.booleanParser,
+    default: false,
+  },
   requestKeywordDenylist: {
     env: 'PARSE_SERVER_REQUEST_KEYWORD_DENYLIST',
     help:

src/Options/docs.js

@@ -202,6 +202,9 @@ export interface ParseServerOptions {
   /* Session duration, in seconds, defaults to 1 year
   :DEFAULT: 31536000 */
   sessionLength: ?number;
+  /* Whether Parse Server should automatically extend a valid session by the sessionLength
+  :DEFAULT: false */
+  renewSessions: ?boolean;
   /* Default value for limit option on queries, defaults to `100`.
   :DEFAULT: 100 */
   defaultLimit: ?number;