forked from andyburke/autonomous.contact
spelling grammar
This commit is contained in:
parent
a2e035830c
commit
7a04d1f7af
7 changed files with 197 additions and 27 deletions
|
|
@ -122,7 +122,8 @@ export async function POST(req: Request, meta: Record<string, any>): Promise<Res
|
|||
|
||||
const session_result: SESSION_RESULT = await create_new_session({
|
||||
user,
|
||||
expires: body.session?.expires
|
||||
expires: body.session?.expires,
|
||||
request_url: req.url
|
||||
});
|
||||
|
||||
// TODO: verify this redirect is relative?
|
||||
|
|
@ -159,8 +160,17 @@ export type SESSION_RESULT = {
|
|||
export type SESSION_INFO = {
|
||||
user: USER;
|
||||
expires: string | undefined;
|
||||
request_url?: string;
|
||||
};
|
||||
|
||||
function should_set_secure_cookies(request_url?: string): boolean {
|
||||
if (!request_url) {
|
||||
return true;
|
||||
}
|
||||
|
||||
return new URL(request_url).protocol === 'https:';
|
||||
}
|
||||
|
||||
// DELETE /api/auth - log out (delete session)
|
||||
PRECHECKS.DELETE = [get_session, get_user, require_user];
|
||||
const back_then = new Date(0).toUTCString();
|
||||
|
|
@ -188,6 +198,7 @@ export async function create_new_session(session_settings: SESSION_INFO): Promis
|
|||
const now = new Date().toISOString();
|
||||
const expires: string = session_settings.expires ??
|
||||
new Date(new Date(now).valueOf() + DEFAULT_SESSION_TIME).toISOString();
|
||||
const secure_attribute = should_set_secure_cookies(session_settings.request_url) ? '; Secure' : '';
|
||||
|
||||
crypto.getRandomValues(session_secret_buffer);
|
||||
|
||||
|
|
@ -207,13 +218,13 @@ export async function create_new_session(session_settings: SESSION_INFO): Promis
|
|||
const headers = new Headers();
|
||||
|
||||
const expires_in_utc = new Date(session.timestamps.expires).toUTCString();
|
||||
headers.append('Set-Cookie', `${AUTHED_BEFORE_COOKIE_ID}=1; Path=/; Secure; Expires=${new Date(new Date(now).valueOf() + AUTHED_BEFORE_EXPIRATION).toUTCString()}`);
|
||||
headers.append('Set-Cookie', `${SESSION_ID_TOKEN}=${session.id}; Path=/; Secure; Expires=${expires_in_utc}`);
|
||||
headers.append('Set-Cookie', `${AUTHED_BEFORE_COOKIE_ID}=1; Path=/${secure_attribute}; Expires=${new Date(new Date(now).valueOf() + AUTHED_BEFORE_EXPIRATION).toUTCString()}`);
|
||||
headers.append('Set-Cookie', `${SESSION_ID_TOKEN}=${session.id}; Path=/${secure_attribute}; Expires=${expires_in_utc}`);
|
||||
headers.append(`x-${SESSION_ID_TOKEN}`, session.id);
|
||||
|
||||
// TODO: this wasn't really intended to be persisted in a cookie, but we are using it to
|
||||
// generate the TOTP for the call to /api/users/me
|
||||
headers.append('Set-Cookie', `${SESSION_SECRET_TOKEN}=${session.secret}; Path=/; Secure; Expires=${expires_in_utc}`);
|
||||
headers.append('Set-Cookie', `${SESSION_SECRET_TOKEN}=${session.secret}; Path=/${secure_attribute}; Expires=${expires_in_utc}`);
|
||||
|
||||
return {
|
||||
session,
|
||||
|
|
|
|||
|
|
@ -29,7 +29,7 @@ export async function GET(_req: Request, meta: Record<string, any>): Promise<Res
|
|||
// POST /api/channels - Create a channel
|
||||
PRECHECKS.POST = [get_session, get_user, require_user, (_req: Request, meta: Record<string, any>): Response | undefined => {
|
||||
const can_create_channels = meta.user.permissions.includes('channels.create');
|
||||
|
||||
console.log('User permissions:', meta.user.permissions);
|
||||
if (!can_create_channels) {
|
||||
return CANNED_RESPONSES.permission_denied();
|
||||
}
|
||||
|
|
|
|||
|
|
@ -245,7 +245,8 @@ export async function POST(req: Request, meta: Record<string, any>): Promise<Res
|
|||
|
||||
const session_result: SESSION_RESULT = await create_new_session({
|
||||
user,
|
||||
expires: undefined
|
||||
expires: undefined,
|
||||
request_url: req.url
|
||||
});
|
||||
|
||||
// TODO: verify this redirect is ok?
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue