feat: Additional httpOnly token for enhanced security in browsers

2025-07-24 15:49:46 +02:00 · 2024-09-01 09:31:04 +02:00 · 2024-09-01 09:31:04 +02:00 · 9699fbe76a
commit 9699fbe76a
parent 4176a62f1a
18 changed files with 171 additions and 48 deletions
--- a/server/api/controllers/access-tokens/create.js
+++ b/server/api/controllers/access-tokens/create.js
@ -1,5 +1,6 @@
 const bcrypt = require('bcrypt');
 const validator = require('validator');
+const { v4: uuid } = require('uuid');

 const { getRemoteAddress } = require('../../../utils/remoteAddress');

@ -34,6 +35,10 @@ module.exports = {
      type: 'string',
      required: true,
    },
+    withHttpOnlyToken: {
+      type: 'boolean',
+      defaultsTo: false,
+    },
  },

  exits: {
@ -81,15 +86,24 @@ module.exports = {
        : Errors.INVALID_CREDENTIALS;
    }

-    const accessToken = sails.helpers.utils.createToken(user.id);
+    const { token: accessToken, payload: accessTokenPayload } = sails.helpers.utils.createJwtToken(
+      user.id,
+    );
+
+    const httpOnlyToken = inputs.withHttpOnlyToken ? uuid() : null;

    await Session.create({
      accessToken,
+      httpOnlyToken,
      remoteAddress,
      userId: user.id,
      userAgent: this.req.headers['user-agent'],
    });

+    if (httpOnlyToken && !this.req.isSocket) {
+      sails.helpers.utils.setHttpOnlyTokenCookie(httpOnlyToken, accessTokenPayload, this.res);
+    }
+
    return {
      item: accessToken,
    };
--- a/server/api/controllers/access-tokens/delete.js
+++ b/server/api/controllers/access-tokens/delete.js
@ -1,20 +1,22 @@
 module.exports = {
  async fn() {
-    const { accessToken } = this.req;
+    const { currentSession } = this.req;

    await Session.updateOne({
-      accessToken,
+      id: currentSession.id,
      deletedAt: null,
    }).set({
      deletedAt: new Date().toISOString(),
    });

-    if (this.req.isSocket) {
-      sails.sockets.leaveAll(`@accessToken:${accessToken}`);
+    sails.sockets.leaveAll(`@accessToken:${currentSession.accessToken}`);
+
+    if (currentSession.httpOnlyToken && !this.req.isSocket) {
+      sails.helpers.utils.clearHttpOnlyTokenCookie(this.res);
    }

    return {
-      item: accessToken,
+      item: currentSession.accessToken,
    };
  },
 };
--- a/server/api/controllers/access-tokens/exchange-using-oidc.js
+++ b/server/api/controllers/access-tokens/exchange-using-oidc.js
@ -1,3 +1,5 @@
+const { v4: uuid } = require('uuid');
+
 const { getRemoteAddress } = require('../../../utils/remoteAddress');

 const Errors = {
@ -28,6 +30,10 @@ module.exports = {
      type: 'string',
      required: true,
    },
+    withHttpOnlyToken: {
+      type: 'boolean',
+      defaultsTo: false,
+    },
  },

  exits: {
@ -62,15 +68,24 @@ module.exports = {
      .intercept('usernameAlreadyInUse', () => Errors.USERNAME_ALREADY_IN_USE)
      .intercept('missingValues', () => Errors.MISSING_VALUES);

-    const accessToken = sails.helpers.utils.createToken(user.id);
+    const { token: accessToken, payload: accessTokenPayload } = sails.helpers.utils.createJwtToken(
+      user.id,
+    );
+
+    const httpOnlyToken = inputs.withHttpOnlyToken ? uuid() : null;

    await Session.create({
      accessToken,
+      httpOnlyToken,
      remoteAddress,
      userId: user.id,
      userAgent: this.req.headers['user-agent'],
    });

+    if (httpOnlyToken && !this.req.isSocket) {
+      sails.helpers.utils.setHttpOnlyTokenCookie(httpOnlyToken, accessTokenPayload, this.res);
+    }
+
    return {
      item: accessToken,
    };