Spaces:
Paused
Paused
Commit
•
265abf1
1
Parent(s):
e6e851b
🔒️ Harden session ID generator (#599)
Browse files- src/hooks.server.ts +13 -3
src/hooks.server.ts
CHANGED
|
@@ -13,9 +13,7 @@ import { ERROR_MESSAGES } from "$lib/stores/errors";
|
|
| 13 |
export const handle: Handle = async ({ event, resolve }) => {
|
| 14 |
const token = event.cookies.get(COOKIE_NAME);
|
| 15 |
|
| 16 |
-
|
| 17 |
-
|
| 18 |
-
const user = await collections.users.findOne({ sessionId: event.locals.sessionId });
|
| 19 |
|
| 20 |
if (user) {
|
| 21 |
event.locals.user = user;
|
|
@@ -33,6 +31,18 @@ export const handle: Handle = async ({ event, resolve }) => {
|
|
| 33 |
});
|
| 34 |
}
|
| 35 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 36 |
// CSRF protection
|
| 37 |
const requestContentType = event.request.headers.get("content-type")?.split(";")[0] ?? "";
|
| 38 |
/** https://developer.mozilla.org/en-US/docs/Web/HTML/Element/form#attr-enctype */
|
|
|
|
| 13 |
export const handle: Handle = async ({ event, resolve }) => {
|
| 14 |
const token = event.cookies.get(COOKIE_NAME);
|
| 15 |
|
| 16 |
+
const user = token ? await collections.users.findOne({ sessionId: token }) : null;
|
|
|
|
|
|
|
| 17 |
|
| 18 |
if (user) {
|
| 19 |
event.locals.user = user;
|
|
|
|
| 31 |
});
|
| 32 |
}
|
| 33 |
|
| 34 |
+
if (!token) {
|
| 35 |
+
const sessionId = crypto.randomUUID();
|
| 36 |
+
if (await collections.users.findOne({ sessionId })) {
|
| 37 |
+
return errorResponse(500, "Session ID collision");
|
| 38 |
+
}
|
| 39 |
+
event.locals.sessionId = sessionId;
|
| 40 |
+
} else {
|
| 41 |
+
event.locals.sessionId = token;
|
| 42 |
+
}
|
| 43 |
+
|
| 44 |
+
Object.freeze(event.locals);
|
| 45 |
+
|
| 46 |
// CSRF protection
|
| 47 |
const requestContentType = event.request.headers.get("content-type")?.split(";")[0] ?? "";
|
| 48 |
/** https://developer.mozilla.org/en-US/docs/Web/HTML/Element/form#attr-enctype */
|