From 7ed76c155556baeab32de1662e40604035a9bdb1 Mon Sep 17 00:00:00 2001
From: Jeremy Cloarec <159018898+JeremyCloarec@users.noreply.github.com>
Date: Mon, 27 Jan 2025 10:12:29 +0100
Subject: [PATCH] [backend] only kill session in sseMiddleware for auth bearer
 sessions (#9216)

---
 opencti-platform/opencti-graphql/src/domain/user.js          | 2 +-
 .../opencti-graphql/src/graphql/sseMiddleware.js             | 5 +++--
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/opencti-platform/opencti-graphql/src/domain/user.js b/opencti-platform/opencti-graphql/src/domain/user.js
index 7850c692da80..fd82b601cf89 100644
--- a/opencti-platform/opencti-graphql/src/domain/user.js
+++ b/opencti-platform/opencti-graphql/src/domain/user.js
@@ -77,7 +77,7 @@ import { cleanMarkings } from '../utils/markingDefinition-utils';
 
 const BEARER = 'Bearer ';
 const BASIC = 'Basic ';
-const AUTH_BEARER = 'Bearer';
+export const AUTH_BEARER = 'Bearer';
 const AUTH_BASIC = 'BasicAuth';
 export const TAXIIAPI = 'TAXIIAPI';
 const PLATFORM_ORGANIZATION = 'settings_platform_organization';
diff --git a/opencti-platform/opencti-graphql/src/graphql/sseMiddleware.js b/opencti-platform/opencti-graphql/src/graphql/sseMiddleware.js
index cbd134c79f86..1972747ae3fd 100644
--- a/opencti-platform/opencti-graphql/src/graphql/sseMiddleware.js
+++ b/opencti-platform/opencti-graphql/src/graphql/sseMiddleware.js
@@ -3,7 +3,7 @@ import * as jsonpatch from 'fast-json-patch';
 import { Promise } from 'bluebird';
 import { LRUCache } from 'lru-cache';
 import conf, { basePath, logApp } from '../config/conf';
-import { authenticateUserFromRequest, TAXIIAPI } from '../domain/user';
+import { AUTH_BEARER, authenticateUserFromRequest, TAXIIAPI } from '../domain/user';
 import { createStreamProcessor, EVENT_CURRENT_VERSION } from '../database/redis';
 import { generateInternalId } from '../schema/identifier';
 import { stixLoadById, storeLoadByIdsWithRefs } from '../database/middleware';
@@ -63,7 +63,8 @@ const HEARTBEAT_PERIOD = conf.get('app:live_stream:heartbeat_period') ?? 5000;
 const sendErrorStatusAndKillSession = (req, res, httpStatus) => {
   try {
     res.status(httpStatus).end();
-    if (req.session) {
+    // only kill bearer sessions
+    if (req.session && req.session?.session_provider?.provider === AUTH_BEARER) {
       req.session.destroy();
     }
   } catch (error) {