feat: 🔒 add csrf checks
This commit is contained in:
parent
e2c8313aa3
commit
756c5564b3
|
@ -1,4 +1,6 @@
|
||||||
import { FreshContext } from '$fresh/server.ts'
|
import { FreshContext } from '$fresh/server.ts'
|
||||||
|
import { getCookies, setCookie } from '@std/http/cookie'
|
||||||
|
import { SessionStore } from '../src/session/mod.ts'
|
||||||
|
|
||||||
export async function handler(request: Request, ctx: FreshContext) {
|
export async function handler(request: Request, ctx: FreshContext) {
|
||||||
// Allow service worker to serve root scope
|
// Allow service worker to serve root scope
|
||||||
|
@ -7,5 +9,34 @@ export async function handler(request: Request, ctx: FreshContext) {
|
||||||
if (url.pathname.endsWith('island-startserviceworker.js')) {
|
if (url.pathname.endsWith('island-startserviceworker.js')) {
|
||||||
response.headers.set('Service-Worker-Allowed', '/')
|
response.headers.set('Service-Worker-Allowed', '/')
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Start session
|
||||||
|
if (getCookies(request.headers)['_SESSION'] === undefined) {
|
||||||
|
const session = SessionStore.createSession()
|
||||||
|
|
||||||
|
// Set session cookie
|
||||||
|
setCookie(response.headers, {
|
||||||
|
name: '_SESSION',
|
||||||
|
value: session.uuid,
|
||||||
|
httpOnly: true,
|
||||||
|
sameSite: 'Strict',
|
||||||
|
secure: true,
|
||||||
|
expires: SessionStore.maxAge,
|
||||||
|
})
|
||||||
|
|
||||||
|
// Set csrf
|
||||||
|
const csrf = crypto.randomUUID()
|
||||||
|
session.set('_csrf', csrf)
|
||||||
|
|
||||||
|
setCookie(response.headers, {
|
||||||
|
name: '_CSRF',
|
||||||
|
value: csrf,
|
||||||
|
httpOnly: false,
|
||||||
|
sameSite: 'Strict',
|
||||||
|
secure: true,
|
||||||
|
expires: SessionStore.maxAge,
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
||||||
return response
|
return response
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue