🔒️ Harden session ID generator (#599)
Browse files- src/hooks.server.ts +13 -3
src/hooks.server.ts
CHANGED
@@ -13,9 +13,7 @@ import { ERROR_MESSAGES } from "$lib/stores/errors";
|
|
13 |
export const handle: Handle = async ({ event, resolve }) => {
|
14 |
const token = event.cookies.get(COOKIE_NAME);
|
15 |
|
16 |
-
|
17 |
-
|
18 |
-
const user = await collections.users.findOne({ sessionId: event.locals.sessionId });
|
19 |
|
20 |
if (user) {
|
21 |
event.locals.user = user;
|
@@ -33,6 +31,18 @@ export const handle: Handle = async ({ event, resolve }) => {
|
|
33 |
});
|
34 |
}
|
35 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
36 |
// CSRF protection
|
37 |
const requestContentType = event.request.headers.get("content-type")?.split(";")[0] ?? "";
|
38 |
/** https://developer.mozilla.org/en-US/docs/Web/HTML/Element/form#attr-enctype */
|
|
|
13 |
export const handle: Handle = async ({ event, resolve }) => {
|
14 |
const token = event.cookies.get(COOKIE_NAME);
|
15 |
|
16 |
+
const user = token ? await collections.users.findOne({ sessionId: token }) : null;
|
|
|
|
|
17 |
|
18 |
if (user) {
|
19 |
event.locals.user = user;
|
|
|
31 |
});
|
32 |
}
|
33 |
|
34 |
+
if (!token) {
|
35 |
+
const sessionId = crypto.randomUUID();
|
36 |
+
if (await collections.users.findOne({ sessionId })) {
|
37 |
+
return errorResponse(500, "Session ID collision");
|
38 |
+
}
|
39 |
+
event.locals.sessionId = sessionId;
|
40 |
+
} else {
|
41 |
+
event.locals.sessionId = token;
|
42 |
+
}
|
43 |
+
|
44 |
+
Object.freeze(event.locals);
|
45 |
+
|
46 |
// CSRF protection
|
47 |
const requestContentType = event.request.headers.get("content-type")?.split(";")[0] ?? "";
|
48 |
/** https://developer.mozilla.org/en-US/docs/Web/HTML/Element/form#attr-enctype */
|