Require cookies to store JWT signature

4 years ago · cd68c89663
--- a/services/request/src/services/WebServer/middleware/auth.ts
+++ b/services/request/src/services/WebServer/middleware/auth.ts
@ -9,7 +9,7 @@ import Application from "../../../Application";
 */
 async function authenticateJwtToken<T>(request: MiddlewareRequest<T>, reply: FastifyReply): Promise<User|undefined> {
 	// Verify headers
 	if (!request.headers["authorization"]) {
 	if (!request.headers["authorization"] || !request.cookies.jwt_signature) {
 		reply.status(401);
 		reply.send({ status: "Unauthorized" });
 		return;
@ -20,10 +20,7 @@ async function authenticateJwtToken<T>(request: MiddlewareRequest<T>, reply: Fas
 		return;
 	}
 	// Construct the token string
 	let token = request.headers["authorization"].slice(7).trim();
 	if ((token.match(/\./g)||[]).length < 2) {
 		token += '.' + (request.cookies.jwt_signature ?? "").trim();
 	}
 	let token = `${request.headers["authorization"].slice(7).trim()}.${request.cookies.jwt_signature.trim()}`;
 	// Decode the token
 	let user: User;
 	try {
--- a/services/request/src/services/WebServer/routes/auth.ts
+++ b/services/request/src/services/WebServer/routes/auth.ts
@ -29,18 +29,15 @@ export default function register(factory: RouteRegisterFactory<MiddlewareMethod<
 		}
 		let body = { id: user.id, name: user.name, isAdmin: user.isAdmin };
 		let token = jwt.sign(body, app.APP_KEY, { expiresIn: 60*60*24 });
 		// Below code requires SSH to store cookies securely
 		// Store the header/payload in the client, store the signature in a secure httpOnly cookie
 		// if ((<any>request.query)["use_cookies"] || (<any>request.query)["use_cookies"] === undefined) {
 		// 	let [header, payload, signature] = token.split('.');
 		// 	token = `${header}.${payload}`;
 		// 	reply.setCookie("jwt_signature", signature, {
 		// 		path: '/',
 		// 		httpOnly: true,
 		// 		sameSite: true,
 		// 		secure: true
 		// 	});
 		// }
 		let [header, payload, signature] = token.split('.');
 		token = `${header}.${payload}`;
 		reply.setCookie("jwt_signature", signature, {
 			path: '/',
 			httpOnly: true,
 			sameSite: true,
 			secure: process.env["NODE_ENV"] === "production"
 		});
 		respond(reply, Status.Ok, { token });
 	}));