[backend] only kill session in sseMiddleware for auth bearer sessions (…

…#9216)
OpenCTI-Platform · Jan 27, 2025 · 7ed76c1 · 7ed76c1
1 parent f4fb41d
commit 7ed76c1
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 3 deletions.
diff --git a/opencti-platform/opencti-graphql/src/domain/user.js b/opencti-platform/opencti-graphql/src/domain/user.js
@@ -77,7 +77,7 @@ import { cleanMarkings } from '../utils/markingDefinition-utils';
 
 const BEARER = 'Bearer ';
 const BASIC = 'Basic ';
-const AUTH_BEARER = 'Bearer';
+export const AUTH_BEARER = 'Bearer';
 const AUTH_BASIC = 'BasicAuth';
 export const TAXIIAPI = 'TAXIIAPI';
 const PLATFORM_ORGANIZATION = 'settings_platform_organization';

diff --git a/opencti-platform/opencti-graphql/src/graphql/sseMiddleware.js b/opencti-platform/opencti-graphql/src/graphql/sseMiddleware.js
@@ -3,7 +3,7 @@ import * as jsonpatch from 'fast-json-patch';
 import { Promise } from 'bluebird';
 import { LRUCache } from 'lru-cache';
 import conf, { basePath, logApp } from '../config/conf';
-import { authenticateUserFromRequest, TAXIIAPI } from '../domain/user';
+import { AUTH_BEARER, authenticateUserFromRequest, TAXIIAPI } from '../domain/user';
 import { createStreamProcessor, EVENT_CURRENT_VERSION } from '../database/redis';
 import { generateInternalId } from '../schema/identifier';
 import { stixLoadById, storeLoadByIdsWithRefs } from '../database/middleware';
@@ -63,7 +63,8 @@ const HEARTBEAT_PERIOD = conf.get('app:live_stream:heartbeat_period') ?? 5000;
 const sendErrorStatusAndKillSession = (req, res, httpStatus) => {
   try {
     res.status(httpStatus).end();
-    if (req.session) {
+    // only kill bearer sessions
+    if (req.session && req.session?.session_provider?.provider === AUTH_BEARER) {
       req.session.destroy();
     }
   } catch (error) {