use separate LocalSessionLifecycleService to manage local session

validation

Author: pujitm

api/src/unraid-api/auth/auth.module.ts

@@ -11,6 +11,7 @@ import { BASE_POLICY, CASBIN_MODEL } from '@app/unraid-api/auth/casbin/index.js'
 import { CookieService, SESSION_COOKIE_CONFIG } from '@app/unraid-api/auth/cookie.service.js';
 import { UserCookieStrategy } from '@app/unraid-api/auth/cookie.strategy.js';
 import { ServerHeaderStrategy } from '@app/unraid-api/auth/header.strategy.js';
+import { LocalSessionLifecycleService } from '@app/unraid-api/auth/local-session-lifecycle.service.js';
 import { LocalSessionService } from '@app/unraid-api/auth/local-session.service.js';
 import { LocalSessionStrategy } from '@app/unraid-api/auth/local-session.strategy.js';
 import { getRequest } from '@app/utils.js';
@@ -75,6 +76,7 @@ import { getRequest } from '@app/utils.js';
         UserCookieStrategy,
         CookieService,
         LocalSessionService,
+        LocalSessionLifecycleService,
         AuthZModule,
     ],
 })

api/src/unraid-api/auth/local-session-lifecycle.service.ts

@@ -0,0 +1,25 @@
+import { Injectable, OnModuleDestroy, OnModuleInit } from '@nestjs/common';
+
+import { LocalSessionService } from '@app/unraid-api/auth/local-session.service.js';
+
+/**
+ * Service for managing the lifecycle of the local session.
+ *
+ * Used for tying the local session's lifecycle to the API's life, rather
+ * than the LocalSessionService's lifecycle, since it may also be used by
+ * other applications, like the CLI.
+ *
+ * This service is only used in the API, and not in the CLI.
+ */
+@Injectable()
+export class LocalSessionLifecycleService implements OnModuleInit, OnModuleDestroy {
+    constructor(private readonly localSessionService: LocalSessionService) {}
+
+    async onModuleInit() {
+        await this.localSessionService.generateLocalSession();
+    }
+
+    async onModuleDestroy() {
+        await this.localSessionService.deleteLocalSession();
+    }
+}

api/src/unraid-api/auth/local-session.service.ts

@@ -1,51 +1,39 @@
-import { Injectable, Logger, OnModuleInit } from '@nestjs/common';
+import { Injectable, Logger } from '@nestjs/common';
 import { randomBytes, timingSafeEqual } from 'crypto';
-import { chmod, mkdir, readFile, writeFile } from 'fs/promises';
+import { chmod, mkdir, readFile, unlink, writeFile } from 'fs/promises';
 import { dirname } from 'path';
 
 /**
  * Service that manages a local session file for internal CLI/system authentication.
  * Creates a secure token on startup that can be used for local system operations.
  */
 @Injectable()
-export class LocalSessionService implements OnModuleInit {
+export class LocalSessionService {
     private readonly logger = new Logger(LocalSessionService.name);
     private sessionToken: string | null = null;
     private static readonly SESSION_FILE_PATH = '/var/run/unraid-api/local-session';
 
-    // NOTE: do NOT cleanup the session file upon eg. module/application shutdown.
-    // That would invalidate the session after each cli invocation, which is incorrect.
-    // Instead, rely on the startup logic to invalidate/overwrite any obsolete session.
-    async onModuleInit() {
-        try {
-            await this.generateLocalSession();
-            this.logger.verbose('Local session initialized');
-        } catch (error) {
-            this.logger.error('Failed to initialize local session:', error);
-        }
-    }
-
     /**
      * Generate a secure local session token and write it to file
      */
-    private async generateLocalSession(): Promise<void> {
+    async generateLocalSession(): Promise<void> {
         // Generate a cryptographically secure random token
         this.sessionToken = randomBytes(32).toString('hex');
 
         try {
             // Ensure directory exists
-            await mkdir(dirname(LocalSessionService.SESSION_FILE_PATH), { recursive: true });
+            await mkdir(dirname(LocalSessionService.getSessionFilePath()), { recursive: true });
 
             // Write token to file
-            await writeFile(LocalSessionService.SESSION_FILE_PATH, this.sessionToken, {
+            await writeFile(LocalSessionService.getSessionFilePath(), this.sessionToken, {
                 encoding: 'utf-8',
                 mode: 0o600, // Owner read/write only
             });
 
             // Ensure proper permissions (redundant but explicit)
-            await chmod(LocalSessionService.SESSION_FILE_PATH, 0o600);
+            await chmod(LocalSessionService.getSessionFilePath(), 0o600);
 
-            this.logger.debug(`Local session written to ${LocalSessionService.SESSION_FILE_PATH}`);
+            this.logger.debug(`Local session written to ${LocalSessionService.getSessionFilePath()}`);
         } catch (error) {
             this.logger.error(`Failed to write local session: ${error}`);
             throw error;
@@ -57,7 +45,7 @@ export class LocalSessionService implements OnModuleInit {
      */
     public async getLocalSession(): Promise<string | null> {
         try {
-            return await readFile(LocalSessionService.SESSION_FILE_PATH, 'utf-8');
+            return await readFile(LocalSessionService.getSessionFilePath(), 'utf-8');
         } catch (error) {
             this.logger.warn(error, 'Local session file not found or not readable');
             return null;
@@ -77,6 +65,14 @@ export class LocalSessionService implements OnModuleInit {
         return timingSafeEqual(Buffer.from(token, 'utf-8'), Buffer.from(currentToken, 'utf-8'));
     }
 
+    public async deleteLocalSession(): Promise<void> {
+        try {
+            await unlink(LocalSessionService.getSessionFilePath());
+        } catch (error) {
+            this.logger.error(error, 'Error deleting local session file');
+        }
+    }
+
     /**
      * Get the file path for the local session (useful for external readers)
      */