public/owltide
1
0
Fork 0
Code Issues 2 Pull requests Projects Releases Packages 1 Wiki Activity Actions
owltide/stores/session.ts
Hornwitser 011687b391 Close event streams for expired sessions 
When a session expires close any event streams that have been opened
with that session.  This prevents an attacker with a leaked session
cookie from opening a stream and receiving updates indefinitely without
being detected.

By sending the session the event stream is opened with when the stream
is established this closure on session expiry also serves as a way for
a user agent to be notified whenever its own access level changes.
2025-07-08 16:13:46 +02:00

75 lines
1.8 KiB
TypeScript
Raw Blame History

/*
SPDX-FileCopyrightText: © 2025 Hornwitser <code@hornwitser.no>
SPDX-License-Identifier: AGPL-3.0-or-later
*/
import { appendResponseHeader } from "h3";
import type { H3Event } from "h3";
import type { ApiAccount, ApiSession } from "~/shared/types/api";
const fetchSessionWithCookie = async (event?: H3Event) => {
// Client side
if (!event) {
return $fetch("/api/auth/session");
}
// Server side
const cookie = useRequestHeader("cookie");
const res = await $fetch.raw("/api/auth/session", {
headers: cookie ? { cookie } : undefined
});
for (const cookie of res.headers.getSetCookie()) {
appendResponseHeader(event, "set-cookie", cookie);
}
return res._data;
}
export const useSessionStore = defineStore("session", () => {
const state = {
account: ref<ApiAccount>(),
id: ref<number>(),
push: ref<boolean>(false),
};
const actions = {
async fetch(event?: H3Event) {
const session = await fetchSessionWithCookie(event)
actions.update(session);
},
update(session?: ApiSession) {
state.account.value = session?.account;
state.id.value = session?.id;
state.push.value = session?.push ?? false;
},
async logIn(name: string) {
const res = await $fetch.raw("/api/auth/login", {
method: "POST",
body: { name },
});
await actions.fetch();
return `/api/auth/login replied: ${res.status} ${res.statusText}`;
},
async logOut() {
try {
await $fetch.raw("/api/auth/session", {
method: "DELETE",
});
await actions.fetch();
} catch (err: any) {
alert(`Log out failed: ${err.statusCode} ${err.statusMessage}`);
}
},
};
appEventSource?.addEventListener("update", (event) => {
if (event.data.type !== "connected") {
return;
}
actions.update(event.data.session);
});
return {
...state,
...actions,
};
});
Reference in a new issue View git blame Copy permalink