archetecture security fix
This commit is contained in:
+47
@@ -0,0 +1,47 @@
|
||||
"use strict";
|
||||
Object.defineProperty(exports, "__esModule", { value: true });
|
||||
exports.sendUnauthorized = sendUnauthorized;
|
||||
exports.getCookie = getCookie;
|
||||
exports.getBearerToken = getBearerToken;
|
||||
exports.getAuthToken = getAuthToken;
|
||||
exports.sendForbidden = sendForbidden;
|
||||
exports.sendPaymentRequired = sendPaymentRequired;
|
||||
/**
|
||||
* Sends a uniform auth-error JSON response.
|
||||
* All auth middleware must go through this function so the shape is identical
|
||||
* to what the errorMiddleware produces for AppError instances.
|
||||
*/
|
||||
function sendUnauthorized(res, error, message) {
|
||||
return res.status(401).json({ error, message, statusCode: 401 });
|
||||
}
|
||||
function getCookie(req, name) {
|
||||
const cookieHeader = req.headers.cookie;
|
||||
if (!cookieHeader)
|
||||
return null;
|
||||
for (const chunk of cookieHeader.split(';')) {
|
||||
const [rawName, ...rawValue] = chunk.trim().split('=');
|
||||
if (rawName === name) {
|
||||
return decodeURIComponent(rawValue.join('='));
|
||||
}
|
||||
}
|
||||
return null;
|
||||
}
|
||||
function getBearerToken(req) {
|
||||
const authHeader = req.headers.authorization;
|
||||
if (!authHeader?.startsWith('Bearer '))
|
||||
return null;
|
||||
const token = authHeader.slice(7).trim();
|
||||
return token.length > 0 ? token : null;
|
||||
}
|
||||
function getAuthToken(req, cookieName) {
|
||||
// Prefer HttpOnly cookies over bearer tokens so stale script-readable tokens
|
||||
// cannot shadow a valid server-managed session during migration.
|
||||
return (cookieName ? getCookie(req, cookieName) : null) ?? getBearerToken(req);
|
||||
}
|
||||
function sendForbidden(res, error, message, extra) {
|
||||
return res.status(403).json({ error, message, statusCode: 403, ...extra });
|
||||
}
|
||||
function sendPaymentRequired(res, error, message, extra) {
|
||||
return res.status(402).json({ error, message, statusCode: 402, ...extra });
|
||||
}
|
||||
//# sourceMappingURL=authHelpers.js.map
|
||||
Reference in New Issue
Block a user