mirror of
https://github.com/yu-i-i/overleaf-cep.git
synced 2026-05-25 10:10:08 +02:00
bc8ccf26c7
move session validation into SessionStoreManager GitOrigin-RevId: 438ec738f0ccaf9f072629d6203a334cb8439b83
55 lines
1.8 KiB
JavaScript
55 lines
1.8 KiB
JavaScript
const Metrics = require('metrics-sharelatex')
|
|
const logger = require('logger-sharelatex')
|
|
|
|
function computeValidationToken(req) {
|
|
// this should be a deterministic function of the client-side sessionID,
|
|
// prepended with a version number in case we want to change it later
|
|
return 'v1:' + req.sessionID.slice(-4)
|
|
}
|
|
|
|
module.exports = {
|
|
enableValidationToken(sessionStore) {
|
|
// generate an identifier from the sessionID for every new session
|
|
const originalGenerate = sessionStore.generate
|
|
sessionStore.generate = function(req) {
|
|
originalGenerate(req)
|
|
// add the validation token as a property that cannot be overwritten
|
|
Object.defineProperty(req.session, 'validationToken', {
|
|
value: computeValidationToken(req),
|
|
enumerable: true,
|
|
writable: false
|
|
})
|
|
Metrics.inc('security.session', 1, { status: 'new' })
|
|
}
|
|
},
|
|
|
|
checkValidationToken(req) {
|
|
if (req.session) {
|
|
const sessionToken = req.session.validationToken
|
|
if (sessionToken) {
|
|
const clientToken = computeValidationToken(req)
|
|
// Reject invalid sessions. If you change the method for computing the
|
|
// token (above) then you need to either check or ignore previous
|
|
// versions of the token.
|
|
if (sessionToken === clientToken) {
|
|
Metrics.inc('security.session', 1, { status: 'ok' })
|
|
return true
|
|
} else {
|
|
logger.error(
|
|
{
|
|
sessionToken: sessionToken,
|
|
clientToken: clientToken
|
|
},
|
|
'session token validation failed'
|
|
)
|
|
Metrics.inc('security.session', 1, { status: 'error' })
|
|
return false
|
|
}
|
|
} else {
|
|
Metrics.inc('security.session', 1, { status: 'missing' })
|
|
}
|
|
}
|
|
return true // fallback to allowing session
|
|
}
|
|
}
|