Changeset View
Changeset View
Standalone View
Standalone View
keyserver/src/session/cookies.js
| // @flow | // @flow | ||||
| import crypto from 'crypto'; | import crypto from 'crypto'; | ||||
| import type { $Response, $Request } from 'express'; | import type { $Response, $Request } from 'express'; | ||||
| import invariant from 'invariant'; | import invariant from 'invariant'; | ||||
| import bcrypt from 'twin-bcrypt'; | import bcrypt from 'twin-bcrypt'; | ||||
| import url from 'url'; | import url from 'url'; | ||||
| import { hasMinCodeVersion } from 'lib/shared/version-utils.js'; | import { hasMinCodeVersion } from 'lib/shared/version-utils.js'; | ||||
| import type { Shape } from 'lib/types/core.js'; | import type { Shape } from 'lib/types/core.js'; | ||||
| import type { SignedIdentityKeysBlob } from 'lib/types/crypto-types.js'; | import type { SignedIdentityKeysBlob } from 'lib/types/crypto-types.js'; | ||||
| import { isWebPlatform } from 'lib/types/device-types.js'; | |||||
| import type { Platform, PlatformDetails } from 'lib/types/device-types.js'; | import type { Platform, PlatformDetails } from 'lib/types/device-types.js'; | ||||
| import type { CalendarQuery } from 'lib/types/entry-types.js'; | import type { CalendarQuery } from 'lib/types/entry-types.js'; | ||||
| import { | import { | ||||
| type ServerSessionChange, | type ServerSessionChange, | ||||
| cookieLifetime, | cookieLifetime, | ||||
| cookieSources, | cookieSources, | ||||
| type CookieSource, | type CookieSource, | ||||
| cookieTypes, | cookieTypes, | ||||
| ▲ Show 20 Lines • Show All 292 Lines • ▼ Show 20 Lines | ): Promise<FetchViewerResult> { | ||||
| // We protect against CSRF attacks by making sure that on web, | // We protect against CSRF attacks by making sure that on web, | ||||
| // non-GET requests cannot use a bare cookie for session identification | // non-GET requests cannot use a bare cookie for session identification | ||||
| if (viewerResult.type === 'valid') { | if (viewerResult.type === 'valid') { | ||||
| const { viewer } = viewerResult; | const { viewer } = viewerResult; | ||||
| invariant( | invariant( | ||||
| req.method === 'GET' || | req.method === 'GET' || | ||||
| viewer.sessionIdentifierType !== sessionIdentifierTypes.COOKIE_ID || | viewer.sessionIdentifierType !== sessionIdentifierTypes.COOKIE_ID || | ||||
| viewer.platform !== 'web', | !isWebPlatform(viewer.platform), | ||||
| 'non-GET request from web using sessionIdentifierTypes.COOKIE_ID', | 'non-GET request from web using sessionIdentifierTypes.COOKIE_ID', | ||||
| ); | ); | ||||
| } | } | ||||
| return viewerResult; | return viewerResult; | ||||
| } | } | ||||
| async function fetchViewerFromRequestBody( | async function fetchViewerFromRequestBody( | ||||
| ▲ Show 20 Lines • Show All 517 Lines • Show Last 20 Lines | |||||