Merge branch 'main' into peter/eng-8578-ensure-best-practices-with-log-masking-redaction

Author: pepol

.github/workflows/protographic.yaml

@@ -41,7 +41,7 @@ jobs:
       - name: Lint
         run: pnpm run --filter ./protographic lint
 
-      - name: Upload integration results to Codecov
+      - name: Upload test results to Codecov
         uses: ./.github/actions/codecov-upload-pr
         with:
           artifact-name: protographic-tests-coverage

cli/CHANGELOG.md

@@ -4,6 +4,12 @@ Binaries are attached to the github release otherwise all images can be found [h
 All notable changes to this project will be documented in this file.
 See [Conventional Commits](https://conventionalcommits.org) for commit guidelines.
 
+## [0.102.6](https://github.com/wundergraph/cosmo/compare/[email protected]@0.102.6) (2025-12-16)
+
+### Bug Fixes
+
+* resolve js-yaml vulnerabilities ([#2415](https://github.com/wundergraph/cosmo/issues/2415)) ([7734754](https://github.com/wundergraph/cosmo/commit/7734754c098a7b85ada9f78771610ebd2754cffe)) (@pepol)
+
 ## [0.102.5](https://github.com/wundergraph/cosmo/compare/[email protected]@0.102.5) (2025-12-15)
 
 **Note:** Version bump only for package wgc

cli/package.json

@@ -1,6 +1,6 @@
 {
   "name": "wgc",
-  "version": "0.102.5",
+  "version": "0.102.6",
   "description": "The official CLI tool to manage the GraphQL Federation Platform Cosmo",
   "type": "module",
   "main": "dist/src/index.js",
@@ -66,7 +66,7 @@
     "graphql": "16.9.0",
     "https-proxy-agent": "7.0.5",
     "inquirer": "9.2.7",
-    "js-yaml": "4.1.0",
+    "js-yaml": "4.1.1",
     "jwt-decode": "3.1.2",
     "lodash-es": "4.17.21",
     "log-symbols": "5.1.0",

codecov.yaml

@@ -14,25 +14,33 @@ coverage:
 flags:
   router:
     paths:
-      - router
+      - router/
     carryforward: true
   cli:
     paths:
-      - cli
+      - cli/
     carryforward: true
   studio:
     paths:
-      - studio
+      - studio/
     carryforward: true
   graphqlmetrics:
     paths:
-      - graphqlmetrics
+      - graphqlmetrics/
     carryforward: true
   controlplane:
     paths:
-      - controlplane
+      - controlplane/
     carryforward: true
   composition:
     paths:
-      - composition
-    carryforward: true
+      - composition/
+    carryforward: true
+
+comment:
+  layout: "diff, flags, files"
+  behavior: default
+  require_changes: false
+  require_base: no
+  require_head: yes
+  show_carryforward_flags: true

controlplane/CHANGELOG.md

@@ -4,6 +4,12 @@ Binaries are attached to the github release otherwise all images can be found [h
 All notable changes to this project will be documented in this file.
 See [Conventional Commits](https://conventionalcommits.org) for commit guidelines.
 
+# [0.182.0](https://github.com/wundergraph/cosmo/compare/[email protected]@0.182.0) (2025-12-16)
+
+### Features
+
+* validate session cookie ([#2406](https://github.com/wundergraph/cosmo/issues/2406)) ([13ec2dd](https://github.com/wundergraph/cosmo/commit/13ec2dd5240e52c7774d251db5fd79e23905f6c2)) (@wilsonrivera)
+
 # [0.181.0](https://github.com/wundergraph/cosmo/compare/[email protected]@0.181.0) (2025-12-15)
 
 ### Bug Fixes

controlplane/package.json

@@ -1,6 +1,6 @@
 {
   "name": "controlplane",
-  "version": "0.181.0",
+  "version": "0.182.0",
   "private": true,
   "description": "WunderGraph Cosmo Controlplane",
   "type": "module",

controlplane/src/core/auth-utils.ts

@@ -4,6 +4,7 @@ import axios from 'axios';
 import { eq } from 'drizzle-orm';
 import { PostgresJsDatabase } from 'drizzle-orm/postgres-js';
 import { EnumStatusCode } from '@wundergraph/cosmo-connect/dist/common/common_pb';
+import { addSeconds } from 'date-fns';
 import { PKCECodeChallenge, UserInfoEndpointResponse, UserSession } from '../types/index.js';
 import * as schema from '../db/schema.js';
 import { sessions } from '../db/schema.js';
@@ -38,7 +39,7 @@ export type AuthUtilsOptions = {
   };
 };
 
-const tokenExpirationWindowSkew = 60 * 5;
+const tokenExpirationWindowSkew = 60 * 5; // 5 minutes
 const pkceMaxAgeSec = 60 * 15; // 15 minutes
 const pkceCodeAlgorithm = 'S256';
 const scope = 'openid profile email';
@@ -298,6 +299,18 @@ export default class AuthUtils {
     };
   }
 
+  public static isSessionExpired(session: { createdAt: Date; updatedAt: Date | null; expiresAt: Date }): boolean {
+    const now = new Date();
+    if (session.expiresAt <= now) {
+      // Session reached end-of-life
+      return true;
+    }
+
+    const sessionLastUpdatedOrCreation = session.updatedAt ?? session.createdAt;
+    const sessionExpiresAt = addSeconds(sessionLastUpdatedOrCreation, DEFAULT_SESSION_MAX_AGE_SEC);
+    return sessionExpiresAt <= now;
+  }
+
   /**
    * renewSession renews the user session if the access token is expired.
    * If the refresh token is expired, an error is thrown.
@@ -327,30 +340,27 @@ export default class AuthUtils {
         throw new AuthenticationError(EnumStatusCode.ERROR_NOT_AUTHENTICATED, 'Refresh token expired');
       }
 
-      // The session expiration is relative to the creation time
-      const baseMs = userSession.createdAt.getTime();
-      const expiresAtMs = baseMs + DEFAULT_SESSION_MAX_AGE_SEC * 1000;
-      const sessionExpiresDate = new Date(expiresAtMs);
-      const remainingSeconds = Math.max(0, Math.floor((expiresAtMs - Date.now()) / 1000));
-
-      if (remainingSeconds <= 0) {
+      // The session expiration is relative
+      if (AuthUtils.isSessionExpired(userSession)) {
         // Absolute session lifetime has elapsed; do not renew.
         throw new AuthenticationError(EnumStatusCode.ERROR_NOT_AUTHENTICATED, 'Session expired');
       }
 
       // Refresh the access token with the refresh token
       // The method will throw an error if the request fails
+      const now = new Date();
       const { accessToken, refreshToken, idToken } = await this.refreshToken(userSession.refreshToken);
 
       // Update active session
+      const expiresAt = addSeconds(now, DEFAULT_SESSION_MAX_AGE_SEC);
       const updatedSessions = await this.db
         .update(sessions)
         .set({
           accessToken,
           refreshToken,
-          expiresAt: sessionExpiresDate,
+          expiresAt,
           idToken,
-          updatedAt: new Date(),
+          updatedAt: now,
         })
         .where(eq(sessions.id, sessionId))
         .returning()
@@ -363,7 +373,7 @@ export default class AuthUtils {
       const newUserSession = updatedSessions[0];
 
       const jwt = await encrypt<UserSession>({
-        maxAgeInSeconds: remainingSeconds,
+        maxAgeInSeconds: DEFAULT_SESSION_MAX_AGE_SEC,
         token: {
           iss: userSession.userId,
           sessionId: newUserSession.id,
@@ -372,7 +382,7 @@ export default class AuthUtils {
       });
 
       // Update the session cookie
-      this.createSessionCookie(res, jwt, sessionExpiresDate);
+      this.createSessionCookie(res, jwt, expiresAt);
 
       return newUserSession;
     }

controlplane/src/core/build-server.ts

@@ -246,7 +246,7 @@ export default async function build(opts: BuildConfig) {
   const apiKeyAuth = new ApiKeyAuthenticator(fastify.db, organizationRepository);
   const userRepo = new UserRepository(logger, fastify.db);
   const apiKeyRepository = new ApiKeyRepository(fastify.db);
-  const webAuth = new WebSessionAuthenticator(opts.auth.secret, userRepo);
+  const webAuth = new WebSessionAuthenticator(fastify.db, opts.auth.secret, userRepo);
   const graphKeyAuth = new GraphApiTokenAuthenticator(opts.auth.secret);
   const accessTokenAuth = new AccessTokenAuthenticator(organizationRepository, authUtils);
   const authenticator = new Authentication(webAuth, apiKeyAuth, accessTokenAuth, graphKeyAuth, organizationRepository);