forked from cory/tildefriends
Refresh the JWT on websocket connect.
git-svn-id: https://www.unprompted.com/svn/projects/tildefriends/trunk@3993 ed5197a5-7fde-0310-b194-c3ffbd925b24
This commit is contained in:
parent
3cdfc7af2b
commit
5e72b111d9
@ -61,6 +61,8 @@ function socket(request, response, client) {
|
|||||||
let process;
|
let process;
|
||||||
let options = {};
|
let options = {};
|
||||||
let credentials = auth.query(request.headers);
|
let credentials = auth.query(request.headers);
|
||||||
|
let refresh_token = credentials?.refresh?.token;
|
||||||
|
let refresh_interval = credentials?.refresh?.interval;
|
||||||
|
|
||||||
response.onClose = async function() {
|
response.onClose = async function() {
|
||||||
if (process && process.task) {
|
if (process && process.task) {
|
||||||
@ -190,6 +192,12 @@ function socket(request, response, client) {
|
|||||||
process.lastActive = Date.now();
|
process.lastActive = Date.now();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (refresh_token) {
|
||||||
|
return {
|
||||||
|
'Set-Cookie': `session=${refresh_token}; path=/; Max-Age=${refresh_interval}; Secure; SameSite=Strict`,
|
||||||
|
};
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
export { socket, App };
|
export { socket, App };
|
||||||
|
27
core/auth.js
27
core/auth.js
@ -5,13 +5,7 @@ import * as form from './form.js';
|
|||||||
var gTokens = {};
|
var gTokens = {};
|
||||||
var gDatabase = new Database("auth");
|
var gDatabase = new Database("auth");
|
||||||
|
|
||||||
const kRefreshInterval =
|
const kRefreshInterval = 1 * 7 * 24 * 60 * 60 * 1000;
|
||||||
1 /* w */ *
|
|
||||||
7 /* d */ *
|
|
||||||
24 /* h */ *
|
|
||||||
60 /* m */ *
|
|
||||||
60 /* s */ *
|
|
||||||
1000 /* ms */;
|
|
||||||
|
|
||||||
function b64url(value) {
|
function b64url(value) {
|
||||||
value = value.replaceAll('+', '-').replaceAll('/', '_');
|
value = value.replaceAll('+', '-').replaceAll('/', '_');
|
||||||
@ -59,10 +53,12 @@ function readSession(session) {
|
|||||||
let id = ssb.getIdentities(':auth');
|
let id = ssb.getIdentities(':auth');
|
||||||
if (id?.length && ssb.hmacsha256verify(id[0], payload, signature)) {
|
if (id?.length && ssb.hmacsha256verify(id[0], payload, signature)) {
|
||||||
let result = JSON.parse(base64Decode(unb64url(payload)));
|
let result = JSON.parse(base64Decode(unb64url(payload)));
|
||||||
if ((new Date()).valueOf() < result.exp) {
|
let now = new Date().valueOf()
|
||||||
|
if (now < result.exp) {
|
||||||
|
print(`JWT valid for another ${(result.exp - now) / 1000} seconds.`);
|
||||||
return result;
|
return result;
|
||||||
} else {
|
} else {
|
||||||
print('JWT expired.');
|
print(`JWT expired by ${(now - result.exp) / 1000} seconds.`);
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
print('JWT verification failed.');
|
print('JWT verification failed.');
|
||||||
@ -70,6 +66,8 @@ function readSession(session) {
|
|||||||
} else {
|
} else {
|
||||||
print('Invalid JWT header.');
|
print('Invalid JWT header.');
|
||||||
}
|
}
|
||||||
|
} else {
|
||||||
|
print('No session JWT.');
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -174,7 +172,7 @@ function handler(request, response) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
var cookie = "session=" + session + "; path=/; Max-Age=604800; Secure; SameSite=Strict";
|
var cookie = `session=${session}; path=/; Max-Age=${kRefreshInterval}; Secure; SameSite=Strict`;
|
||||||
var entry = readSession(session);
|
var entry = readSession(session);
|
||||||
if (entry && formData.return) {
|
if (entry && formData.return) {
|
||||||
response.writeHead(303, {"Location": formData.return, "Set-Cookie": cookie});
|
response.writeHead(303, {"Location": formData.return, "Set-Cookie": cookie});
|
||||||
@ -257,7 +255,14 @@ function query(headers) {
|
|||||||
var entry;
|
var entry;
|
||||||
var autologin = tildefriends.args.autologin;
|
var autologin = tildefriends.args.autologin;
|
||||||
if (entry = autologin ? {name: autologin} : readSession(session)) {
|
if (entry = autologin ? {name: autologin} : readSession(session)) {
|
||||||
return {session: entry, permissions: autologin ? getPermissionsForUser(autologin) : getPermissions(session)};
|
return {
|
||||||
|
session: entry,
|
||||||
|
permissions: autologin ? getPermissionsForUser(autologin) : getPermissions(session),
|
||||||
|
refresh: {
|
||||||
|
token: makeJwt({name: entry.name}),
|
||||||
|
interval: kRefreshInterval,
|
||||||
|
},
|
||||||
|
};
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -246,7 +246,7 @@ function handleWebSocketRequest(request, response, client) {
|
|||||||
}
|
}
|
||||||
response.onMessage = null;
|
response.onMessage = null;
|
||||||
|
|
||||||
handler.invoke(request, response);
|
let extra_headers = handler.invoke(request, response);
|
||||||
|
|
||||||
client.read(function(data) {
|
client.read(function(data) {
|
||||||
if (data) {
|
if (data) {
|
||||||
@ -333,7 +333,7 @@ function handleWebSocketRequest(request, response, client) {
|
|||||||
if (request.headers["sec-websocket-version"] != "13") {
|
if (request.headers["sec-websocket-version"] != "13") {
|
||||||
headers["Sec-WebSocket-Version"] = "13";
|
headers["Sec-WebSocket-Version"] = "13";
|
||||||
}
|
}
|
||||||
response.writeHead(101, headers);
|
response.writeHead(101, Object.assign({}, headers, extra_headers));
|
||||||
}
|
}
|
||||||
|
|
||||||
function webSocketAcceptResponse(key) {
|
function webSocketAcceptResponse(key) {
|
||||||
|
Loading…
x
Reference in New Issue
Block a user