Hornwitser
011687b391
When a session expires close any event streams that have been opened with that session. This prevents an attacker with a leaked session cookie from opening a stream and receiving updates indefinitely without being detected. By sending the session the event stream is opened with when the stream is established this closure on session expiry also serves as a way for a user agent to be notified whenever its own access level changes.
35 lines
1.2 KiB
TypeScript
35 lines
1.2 KiB
TypeScript
/*
|
|
SPDX-FileCopyrightText: © 2025 Hornwitser <code@hornwitser.no>
|
|
SPDX-License-Identifier: AGPL-3.0-or-later
|
|
*/
|
|
import { pipeline } from "node:stream";
|
|
import { addStream, deleteStream } from "~/server/streams";
|
|
|
|
export default defineEventHandler(async (event) => {
|
|
const session = await getServerSession(event, false);
|
|
|
|
const encoder = new TextEncoder();
|
|
const source = event.headers.get("x-forwarded-for");
|
|
console.log(`starting event stream for ${source}`)
|
|
const stream = new TransformStream<string, Uint8Array>({
|
|
transform(chunk, controller) {
|
|
controller.enqueue(encoder.encode(chunk));
|
|
},
|
|
flush(controller) {
|
|
console.log(`finished event stream for ${source}`);
|
|
deleteStream(stream.writable);
|
|
},
|
|
// @ts-expect-error experimental API
|
|
cancel(reason) {
|
|
console.log(`cancelled event stream for ${source}`);
|
|
deleteStream(stream.writable);
|
|
}
|
|
});
|
|
addStream(event, stream.writable, session);
|
|
|
|
// Workaround to properly handle stream errors. See https://github.com/unjs/h3/issues/986
|
|
setHeader(event, "Access-Control-Allow-Origin", "*");
|
|
setHeader(event, "Content-Type", "text/event-stream");
|
|
pipeline(stream.readable as unknown as NodeJS.ReadableStream, event.node.res, (err) => { /* ignore */ });
|
|
event._handled = true;
|
|
});
|