adolforeyna/EMI-Backend
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(auth): return JSON 401 for API sessions and harden cross-site cookies

Browse Source
This commit is contained in:
Adolfo Reyna
2026-02-21 21:55:01 -05:00
parent a8ddae4b1e
commit 83727957ab
5 changed files with 72 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
auth/authEmail.js
View File

@@ -3,7 +3,7 @@ const { client_logger } = require('../utils/analyticsLogger');
const bcrypt = require('bcrypt');
const crypto = require('crypto');
const { getSessionId, getUserId, getProfileId } = require('../utils/sessionUtils.js');
const { cookiesOptions } = require('../config/cookiesOptions');
const { getCookiesOptions } = require('../config/cookiesOptions');
const Notifications = require("../notifications");
// Object Definitions
@@ -19,6 +19,7 @@ const createPasswordTokenHash = (rawToken) =>
const createSessionFromUser = async ({ DB, user, req, res }) => {
const sessionObj = await DB.newSession(user._id);
const cookiesOptions = getCookiesOptions(req);
res.cookie('user_sid', user._id, cookiesOptions);
res.cookie('session_id', sessionObj.insertedId, cookiesOptions);
const latestUpdatedProfile = await DB.latestProfile(user._id);
@@ -143,8 +144,9 @@ const logout = async function (req, res) {
const session_id = getSessionId(req);
const user_sid = getUserId(req);
if (session_id && user_sid) {
res.clearCookie('session_id');
res.clearCookie('user_sid');
const cookiesOptions = getCookiesOptions(req);
res.clearCookie('session_id', cookiesOptions);
res.clearCookie('user_sid', cookiesOptions);
//remove from DB
const DB = await MongoDB.getDB;
DB.removeSession(session_id);