feat: Additional httpOnly token for enhanced security in browsers

2025-07-24 15:49:46 +02:00 · 2024-09-01 09:31:04 +02:00 · 2024-09-01 09:31:04 +02:00 · 50519f1bcd
commit 50519f1bcd
parent d4043c9726
18 changed files with 171 additions and 48 deletions
--- a/server/api/hooks/current-user/index.js
+++ b/server/api/hooks/current-user/index.js
@ -9,10 +9,10 @@
 module.exports = function defineCurrentUserHook(sails) {
  const TOKEN_PATTERN = /^Bearer /;

-  const getUser = async (accessToken) => {
+  const getSessionAndUser = async (accessToken, httpOnlyToken) => {
    let payload;
    try {
-      payload = sails.helpers.utils.verifyToken(accessToken);
+      payload = sails.helpers.utils.verifyJwtToken(accessToken);
    } catch (error) {
      return null;
    }
@ -26,13 +26,20 @@ module.exports = function defineCurrentUserHook(sails) {
      return null;
    }

+    if (session.httpOnlyToken && httpOnlyToken !== session.httpOnlyToken) {
+      return null;
+    }
+
    const user = await sails.helpers.users.getOne(payload.subject);

    if (user && user.passwordChangedAt > payload.issuedAt) {
      return null;
    }

-    return user;
+    return {
+      session,
+      user,
+    };
  };

  return {
@ -52,17 +59,21 @@ module.exports = function defineCurrentUserHook(sails) {

            if (authorizationHeader && TOKEN_PATTERN.test(authorizationHeader)) {
              const accessToken = authorizationHeader.replace(TOKEN_PATTERN, '');
-              const currentUser = await getUser(accessToken);
+              const { httpOnlyToken } = req.cookies;
+
+              const sessionAndUser = await getSessionAndUser(accessToken, httpOnlyToken);
+
+              if (sessionAndUser) {
+                const { session, user } = sessionAndUser;

-              if (currentUser) {
                Object.assign(req, {
-                  accessToken,
-                  currentUser,
+                  currentSession: session,
+                  currentUser: user,
                });

                if (req.isSocket) {
-                  sails.sockets.join(req, `@accessToken:${accessToken}`);
-                  sails.sockets.join(req, `@user:${currentUser.id}`);
+                  sails.sockets.join(req, `@accessToken:${session.accessToken}`);
+                  sails.sockets.join(req, `@user:${user.id}`);
                }
              }
            }
@ -72,15 +83,17 @@ module.exports = function defineCurrentUserHook(sails) {
        },
        '/attachments/*': {
          async fn(req, res, next) {
-            const { accessToken } = req.cookies;
+            const { accessToken, httpOnlyToken } = req.cookies;

            if (accessToken) {
-              const currentUser = await getUser(accessToken);
+              const sessionAndUser = await getSessionAndUser(accessToken, httpOnlyToken);
+
+              if (sessionAndUser) {
+                const { session, user } = sessionAndUser;

-              if (currentUser) {
                Object.assign(req, {
-                  accessToken,
-                  currentUser,
+                  currentSession: session,
+                  currentUser: user,
                });
              }
            }
--- a/server/api/hooks/watcher/index.js
+++ b/server/api/hooks/watcher/index.js
@ -16,7 +16,7 @@ module.exports = function defineWatcherHook(sails) {
      const accessToken = room.split(':')[1];

      try {
-        sails.helpers.utils.verifyToken(accessToken);
+        sails.helpers.utils.verifyJwtToken(accessToken);
      } catch (error) {
        sails.sockets.broadcast(room, 'logout');
        sails.sockets.leaveAll(room);