Spaces:
Sleeping
Sleeping
Only refresh cookie on post (#606)
Browse files- src/hooks.server.ts +16 -13
src/hooks.server.ts
CHANGED
|
@@ -51,20 +51,25 @@ export const handle: Handle = async ({ event, resolve }) => {
|
|
| 51 |
"application/x-www-form-urlencoded",
|
| 52 |
"text/plain",
|
| 53 |
];
|
| 54 |
-
if (event.request.method === "POST" && nativeFormContentTypes.includes(requestContentType)) {
|
| 55 |
-
const referer = event.request.headers.get("referer");
|
| 56 |
|
| 57 |
-
|
| 58 |
-
|
| 59 |
-
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 60 |
|
| 61 |
-
|
| 62 |
-
|
| 63 |
-
|
| 64 |
-
|
| 65 |
|
| 66 |
-
|
| 67 |
-
|
|
|
|
| 68 |
}
|
| 69 |
}
|
| 70 |
|
|
@@ -100,8 +105,6 @@ export const handle: Handle = async ({ event, resolve }) => {
|
|
| 100 |
}
|
| 101 |
}
|
| 102 |
|
| 103 |
-
refreshSessionCookie(event.cookies, event.locals.sessionId);
|
| 104 |
-
|
| 105 |
let replaced = false;
|
| 106 |
|
| 107 |
const response = await resolve(event, {
|
|
|
|
| 51 |
"application/x-www-form-urlencoded",
|
| 52 |
"text/plain",
|
| 53 |
];
|
|
|
|
|
|
|
| 54 |
|
| 55 |
+
if (event.request.method === "POST") {
|
| 56 |
+
refreshSessionCookie(event.cookies, event.locals.sessionId);
|
| 57 |
+
|
| 58 |
+
if (nativeFormContentTypes.includes(requestContentType)) {
|
| 59 |
+
const referer = event.request.headers.get("referer");
|
| 60 |
+
|
| 61 |
+
if (!referer) {
|
| 62 |
+
return errorResponse(403, "Non-JSON form requests need to have a referer");
|
| 63 |
+
}
|
| 64 |
|
| 65 |
+
const validOrigins = [
|
| 66 |
+
new URL(event.request.url).origin,
|
| 67 |
+
...(PUBLIC_ORIGIN ? [new URL(PUBLIC_ORIGIN).origin] : []),
|
| 68 |
+
];
|
| 69 |
|
| 70 |
+
if (!validOrigins.includes(new URL(referer).origin)) {
|
| 71 |
+
return errorResponse(403, "Invalid referer for POST request");
|
| 72 |
+
}
|
| 73 |
}
|
| 74 |
}
|
| 75 |
|
|
|
|
| 105 |
}
|
| 106 |
}
|
| 107 |
|
|
|
|
|
|
|
| 108 |
let replaced = false;
|
| 109 |
|
| 110 |
const response = await resolve(event, {
|