adolforeyna/EMI-Backend
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(auth): return JSON 401 for API sessions and harden cross-site cookies

Browse Source
This commit is contained in:
Adolfo Reyna
2026-02-21 21:55:01 -05:00
parent a8ddae4b1e
commit 83727957ab
5 changed files with 72 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
middleware/sessionChecker.js
View File

@@ -1,9 +1,22 @@
const { getSessionId, getUserId, getProfileId } = require('../utils/sessionUtils');
const { client_logger } = require('../utils/analyticsLogger');
const { cookiesOptions } = require('../config/cookiesOptions');
const { getCookiesOptions } = require('../config/cookiesOptions');
const MongoDB = require("../mongoDB.js");
const { ObjectId } = require("mongodb");
const shouldReturnJson = (req) => {
const accept = String(req?.headers?.accept || "").toLowerCase();
const contentType = String(req?.headers?.["content-type"] || "").toLowerCase();
return !!req?.headers?.origin || accept.includes("application/json") || contentType.includes("application/json");
};
const rejectUnauthorized = (req, res) => {
if (shouldReturnJson(req)) {
return res.status(401).json({ status: "Unauthorized" });
}
return res.redirect('/login');
};
const sessionChecker = async (req, res, next) => {
try {
const session_id = getSessionId(req);
@@ -11,10 +24,10 @@ const sessionChecker = async (req, res, next) => {
let profile_id = getProfileId(req);
if (!session_id || !user_sid) {
return res.redirect('/login');
return rejectUnauthorized(req, res);
}
if (!ObjectId.isValid(session_id) || !ObjectId.isValid(user_sid)) {
return res.redirect('/login');
return rejectUnauthorized(req, res);
}
const DB = await MongoDB.getDB;
@@ -24,15 +37,15 @@ const sessionChecker = async (req, res, next) => {
if (!await DB.getProfileCache(profile_id)) {
const latestProfile = await DB.latestProfile(user_sid);
if (!latestProfile || !latestProfile._id) {
return res.redirect('/login');
return rejectUnauthorized(req, res);
}
res.cookie('profile_id', latestProfile._id, cookiesOptions);
res.cookie('profile_id', latestProfile._id, getCookiesOptions(req));
profile_id = latestProfile._id;
}
req.profileInfo = { _id: profile_id };
if (!userInfo) return res.redirect('/login');
if (!userInfo) return rejectUnauthorized(req, res);
client_logger.capture({
distinctId: user_sid,
@@ -42,7 +55,7 @@ const sessionChecker = async (req, res, next) => {
next();
} catch (error) {
console.error("Session checker error", error);
return res.redirect('/login');
return rejectUnauthorized(req, res);
}
};