Changeset View
Changeset View
Standalone View
Standalone View
keyserver/src/session/cookies.js
// @flow | // @flow | ||||
import crypto from 'crypto'; | import crypto from 'crypto'; | ||||
import type { $Response, $Request } from 'express'; | import type { $Response, $Request } from 'express'; | ||||
import invariant from 'invariant'; | import invariant from 'invariant'; | ||||
import bcrypt from 'twin-bcrypt'; | import bcrypt from 'twin-bcrypt'; | ||||
import url from 'url'; | import url from 'url'; | ||||
import { hasMinCodeVersion } from 'lib/shared/version-utils.js'; | import { hasMinCodeVersion } from 'lib/shared/version-utils.js'; | ||||
import type { Shape } from 'lib/types/core.js'; | import type { Shape } from 'lib/types/core.js'; | ||||
import type { SignedIdentityKeysBlob } from 'lib/types/crypto-types.js'; | import type { SignedIdentityKeysBlob } from 'lib/types/crypto-types.js'; | ||||
import { isWebPlatform } from 'lib/types/device-types.js'; | |||||
import type { Platform, PlatformDetails } from 'lib/types/device-types.js'; | import type { Platform, PlatformDetails } from 'lib/types/device-types.js'; | ||||
import type { CalendarQuery } from 'lib/types/entry-types.js'; | import type { CalendarQuery } from 'lib/types/entry-types.js'; | ||||
import { | import { | ||||
type ServerSessionChange, | type ServerSessionChange, | ||||
cookieLifetime, | cookieLifetime, | ||||
cookieSources, | cookieSources, | ||||
type CookieSource, | type CookieSource, | ||||
cookieTypes, | cookieTypes, | ||||
▲ Show 20 Lines • Show All 292 Lines • ▼ Show 20 Lines | ): Promise<FetchViewerResult> { | ||||
// We protect against CSRF attacks by making sure that on web, | // We protect against CSRF attacks by making sure that on web, | ||||
// non-GET requests cannot use a bare cookie for session identification | // non-GET requests cannot use a bare cookie for session identification | ||||
if (viewerResult.type === 'valid') { | if (viewerResult.type === 'valid') { | ||||
const { viewer } = viewerResult; | const { viewer } = viewerResult; | ||||
invariant( | invariant( | ||||
req.method === 'GET' || | req.method === 'GET' || | ||||
viewer.sessionIdentifierType !== sessionIdentifierTypes.COOKIE_ID || | viewer.sessionIdentifierType !== sessionIdentifierTypes.COOKIE_ID || | ||||
viewer.platform !== 'web', | !isWebPlatform(viewer.platform), | ||||
'non-GET request from web using sessionIdentifierTypes.COOKIE_ID', | 'non-GET request from web using sessionIdentifierTypes.COOKIE_ID', | ||||
); | ); | ||||
} | } | ||||
return viewerResult; | return viewerResult; | ||||
} | } | ||||
async function fetchViewerFromRequestBody( | async function fetchViewerFromRequestBody( | ||||
▲ Show 20 Lines • Show All 517 Lines • Show Last 20 Lines |