coyotte508 HF staff commited on
Commit
265abf1
·
unverified ·
1 Parent(s): e6e851b

🔒️ Harden session ID generator (#599)

Browse files
Files changed (1) hide show
  1. src/hooks.server.ts +13 -3
src/hooks.server.ts CHANGED
@@ -13,9 +13,7 @@ import { ERROR_MESSAGES } from "$lib/stores/errors";
13
  export const handle: Handle = async ({ event, resolve }) => {
14
  const token = event.cookies.get(COOKIE_NAME);
15
 
16
- event.locals.sessionId = token || crypto.randomUUID();
17
-
18
- const user = await collections.users.findOne({ sessionId: event.locals.sessionId });
19
 
20
  if (user) {
21
  event.locals.user = user;
@@ -33,6 +31,18 @@ export const handle: Handle = async ({ event, resolve }) => {
33
  });
34
  }
35
 
 
 
 
 
 
 
 
 
 
 
 
 
36
  // CSRF protection
37
  const requestContentType = event.request.headers.get("content-type")?.split(";")[0] ?? "";
38
  /** https://developer.mozilla.org/en-US/docs/Web/HTML/Element/form#attr-enctype */
 
13
  export const handle: Handle = async ({ event, resolve }) => {
14
  const token = event.cookies.get(COOKIE_NAME);
15
 
16
+ const user = token ? await collections.users.findOne({ sessionId: token }) : null;
 
 
17
 
18
  if (user) {
19
  event.locals.user = user;
 
31
  });
32
  }
33
 
34
+ if (!token) {
35
+ const sessionId = crypto.randomUUID();
36
+ if (await collections.users.findOne({ sessionId })) {
37
+ return errorResponse(500, "Session ID collision");
38
+ }
39
+ event.locals.sessionId = sessionId;
40
+ } else {
41
+ event.locals.sessionId = token;
42
+ }
43
+
44
+ Object.freeze(event.locals);
45
+
46
  // CSRF protection
47
  const requestContentType = event.request.headers.get("content-type")?.split(";")[0] ?? "";
48
  /** https://developer.mozilla.org/en-US/docs/Web/HTML/Element/form#attr-enctype */