diff --git a/keyserver/src/session/cookies.js b/keyserver/src/session/cookies.js --- a/keyserver/src/session/cookies.js +++ b/keyserver/src/session/cookies.js @@ -8,7 +8,6 @@ import type { Shape } from 'lib/types/core.js'; import type { SignedIdentityKeysBlob } from 'lib/types/crypto-types.js'; -import { isWebPlatform } from 'lib/types/device-types.js'; import type { Platform, PlatformDetails } from 'lib/types/device-types.js'; import type { CalendarQuery } from 'lib/types/entry-types.js'; import { @@ -279,51 +278,6 @@ }; } -// This function is meant to consume a cookie that has already been processed. -// That means it doesn't have any logic to handle an invalid cookie, and it -// doesn't update the cookie's last_used timestamp. -async function fetchViewerFromCookieData( - req: $Request, - sessionParameterInfo: SessionParameterInfo, -): Promise { - let viewerResult; - const { user, anonymous } = req.cookies; - if (user) { - viewerResult = await fetchUserViewer( - user, - cookieSources.HEADER, - sessionParameterInfo, - ); - } else if (anonymous) { - viewerResult = await fetchAnonymousViewer( - anonymous, - cookieSources.HEADER, - sessionParameterInfo, - ); - } else { - return { - type: 'nonexistant', - cookieName: null, - cookieSource: null, - sessionParameterInfo, - }; - } - - // We protect against CSRF attacks by making sure that on web, - // non-GET requests cannot use a bare cookie for session identification - if (viewerResult.type === 'valid') { - const { viewer } = viewerResult; - invariant( - req.method === 'GET' || - viewer.sessionIdentifierType !== sessionIdentifierTypes.COOKIE_ID || - !isWebPlatform(viewer.platform), - 'non-GET request from web using sessionIdentifierTypes.COOKIE_ID', - ); - } - - return viewerResult; -} - async function fetchViewerFromRequestBody( body: mixed, sessionParameterInfo: SessionParameterInfo, @@ -414,24 +368,13 @@ async function fetchViewerForJSONRequest(req: $Request): Promise { assertSecureRequest(req); const sessionParameterInfo = getSessionParameterInfoFromRequestBody(req); - let result = await fetchViewerFromRequestBody(req.body, sessionParameterInfo); - if ( - result.type === 'nonexistant' && - (result.cookieSource === null || result.cookieSource === undefined) - ) { - result = await fetchViewerFromCookieData(req, sessionParameterInfo); - } + const result = await fetchViewerFromRequestBody( + req.body, + sessionParameterInfo, + ); return await handleFetchViewerResult(result); } -const webPlatformDetails = { platform: 'web' }; -async function fetchViewerForHomeRequest(req: $Request): Promise { - assertSecureRequest(req); - const sessionParameterInfo = getSessionParameterInfoFromRequestBody(req); - const result = await fetchViewerFromCookieData(req, sessionParameterInfo); - return await handleFetchViewerResult(result, webPlatformDetails); -} - async function fetchViewerForSocket( req: $Request, clientMessage: InitialClientSocketMessage, @@ -450,16 +393,10 @@ userAgent: req.get('User-Agent'), }; - let result = await fetchViewerFromRequestBody( + const result = await fetchViewerFromRequestBody( clientMessage.payload.sessionIdentification, sessionParameterInfo, ); - if ( - result.type === 'nonexistant' && - (result.cookieSource === null || result.cookieSource === undefined) - ) { - result = await fetchViewerFromCookieData(req, sessionParameterInfo); - } if (result.type === 'valid') { return result.viewer; } @@ -856,7 +793,6 @@ export { fetchViewerForJSONRequest, - fetchViewerForHomeRequest, fetchViewerForSocket, createNewAnonymousCookie, createNewUserCookie,