Spaces:
Running
Running
File size: 3,653 Bytes
faca43f 5528541 faca43f 5528541 faca43f 5528541 faca43f |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 |
import { COOKIE_NAME, MESSAGES_BEFORE_LOGIN } from "$env/static/private";
import type { Handle } from "@sveltejs/kit";
import {
PUBLIC_GOOGLE_ANALYTICS_ID,
PUBLIC_DEPRECATED_GOOGLE_ANALYTICS_ID,
PUBLIC_ORIGIN,
PUBLIC_APP_DISCLAIMER,
} from "$env/static/public";
import { collections } from "$lib/server/database";
import { base } from "$app/paths";
import { refreshSessionCookie, requiresUser } from "$lib/server/auth";
import { ERROR_MESSAGES } from "$lib/stores/errors";
export const handle: Handle = async ({ event, resolve }) => {
const token = event.cookies.get(COOKIE_NAME);
event.locals.sessionId = token || crypto.randomUUID();
function errorResponse(status: number, message: string) {
const sendJson =
event.request.headers.get("accept")?.includes("application/json") ||
event.request.headers.get("content-type")?.includes("application/json");
return new Response(sendJson ? JSON.stringify({ error: message }) : message, {
status,
headers: {
"content-type": sendJson ? "application/json" : "text/plain",
},
});
}
// CSRF protection
const requestContentType = event.request.headers.get("content-type")?.split(";")[0] ?? "";
/** https://developer.mozilla.org/en-US/docs/Web/HTML/Element/form#attr-enctype */
const nativeFormContentTypes = [
"multipart/form-data",
"application/x-www-form-urlencoded",
"text/plain",
];
if (event.request.method === "POST" && nativeFormContentTypes.includes(requestContentType)) {
const referer = event.request.headers.get("referer");
if (!referer) {
return errorResponse(403, "Non-JSON form requests need to have a referer");
}
const validOrigins = [
new URL(event.request.url).origin,
...(PUBLIC_ORIGIN ? [new URL(PUBLIC_ORIGIN).origin] : []),
];
if (!validOrigins.includes(new URL(referer).origin)) {
return errorResponse(403, "Invalid referer for POST request");
}
}
// if (
// !event.url.pathname.startsWith(`${base}/login`) &&
// !event.url.pathname.startsWith(`${base}/admin`) &&
// !["GET", "OPTIONS", "HEAD"].includes(event.request.method)
// ) {
// if (
// !user &&
// requiresUser &&
// !((MESSAGES_BEFORE_LOGIN ? parseInt(MESSAGES_BEFORE_LOGIN) : 0) > 0)
// ) {
// return errorResponse(401, ERROR_MESSAGES.authOnly);
// }
// // if login is not required and the call is not from /settings and we display the ethics modal with PUBLIC_APP_DISCLAIMER
// // we check if the user has accepted the ethics modal first.
// // If login is required, `ethicsModalAcceptedAt` is already true at this point, so do not pass this condition. This saves a DB call.
// if (
// !requiresUser &&
// !event.url.pathname.startsWith(`${base}/settings`) &&
// !!PUBLIC_APP_DISCLAIMER
// ) {
// const hasAcceptedEthicsModal = await collections.settings.countDocuments({
// sessionId: event.locals.sessionId,
// ethicsModalAcceptedAt: { $exists: true },
// });
// if (!hasAcceptedEthicsModal) {
// return errorResponse(405, "You need to accept the welcome modal first");
// }
// }
// }
refreshSessionCookie(event.cookies, event.locals.sessionId);
let replaced = false;
const response = await resolve(event, {
transformPageChunk: (chunk) => {
// For some reason, Sveltekit doesn't let us load env variables from .env in the app.html template
if (replaced || !chunk.html.includes("%gaId%") || !chunk.html.includes("%gaIdDeprecated%")) {
return chunk.html;
}
replaced = true;
return chunk.html
.replace("%gaId%", PUBLIC_GOOGLE_ANALYTICS_ID)
.replace("%gaIdDeprecated%", PUBLIC_DEPRECATED_GOOGLE_ANALYTICS_ID);
},
});
return response;
};
|