CoCalc -- strip-remember-me-cookie.ts

GitHub Repository: sagemathinc/cocalc
Path: blob/master/src/packages/hub/proxy/strip-remember-me-cookie.ts
¹⁴⁹⁶ views

1
/*
2
In the interest of security and "XSS", we strip the "remember_me" cookie
3
from the header before passing anything along via the proxy.
4
The reason this is important is that it's critical that the project (and
5
nothing running in the project) can get access to a user's auth cookie.
6
I.e., malicious code running in a project shouldn't be able to steal
7
auth credentials for all users of a project!
8
*/
9

10
import {
11
  REMEMBER_ME_COOKIE_NAME,
12
  API_COOKIE_NAME,
13
} from "@cocalc/backend/auth/cookie-names";
14

15
export default function stripRememberMeCookie(cookie): {
16
  cookie: string;
17
  remember_me: string | undefined; // the value of the cookie we just stripped out.
18
  api_key: string | undefined;
19
} {
20
  if (cookie == null) {
21
    return {
22
      cookie,
23
      remember_me: undefined,
24
      api_key: undefined,
25
    };
26
  } else {
27
    const v: string[] = [];
28
    let remember_me: string | undefined = undefined;
29
    let api_key: string | undefined = undefined;
30
    for (const c of cookie.split(";")) {
31
      const z = c.split("=");
32
      if (z[0].trim() == REMEMBER_ME_COOKIE_NAME) {
33
        // save it but do not include it in v, which will
34
        // be the new cookies values after going through
35
        // the proxy.
36
        remember_me = z[1].trim();
37
      } else if (z[0].trim() == API_COOKIE_NAME) {
38
        api_key = z[1].trim();
39
      } else {
40
        v.push(c);
41
      }
42
    }
43
    return { cookie: v.join(";"), remember_me, api_key };
44
  }
45
}
46

47

Product

Resources

Company