UNPKG

@theia/core

Version:

Theia is a cloud & desktop IDE framework implemented in TypeScript.

46 lines 2.41 kB
import * as http from 'http'; import express = require('express'); import { MaybePromise } from '../../common'; import { BackendApplicationContribution, EarlyExpressMiddleware } from '../backend-application'; import { WsRequestValidatorContribution } from '../ws-request-validators'; export declare const BrowserConnectionToken: unique symbol; export declare const BROWSER_TOKEN_COOKIE_NAME = "theia-connection-token"; export interface BrowserConnectionToken { value: string; } /** * Validates WebSocket and HTTP requests using a cookie-based connection token. * * In browser deployments, the server generates a random token at startup and sets it * as a `SameSite=Strict; HttpOnly` cookie on the first page load. Cross-origin pages * cannot obtain or send this cookie, so their requests are rejected. * * This complements the origin validator: non-browser callers that omit the Origin * header (e.g. Node.js scripts) still cannot reach the backend without the cookie. * * Skipped in Electron deployments (which use their own `ElectronSecurityToken`). */ export declare class BrowserConnectionTokenBackendContribution implements BackendApplicationContribution, WsRequestValidatorContribution { protected readonly browserConnectionToken: BrowserConnectionToken; protected readonly earlyMiddleware: EarlyExpressMiddleware; /** * Register the cookie middleware during `initialize()` via `EarlyExpressMiddleware` * so it runs before `express.static()` (which is registered later during `configure()`). * This ensures the browser receives the token cookie on the initial page load. */ initialize(): void; /** * Validate the connection token cookie on WebSocket upgrade requests. * Non-browser callers that omit the Origin header (e.g. Node.js scripts) * cannot provide the `SameSite=Strict` cookie either, so they are rejected. */ allowWsUpgrade(request: http.IncomingMessage): MaybePromise<boolean>; protected expressMiddleware(req: express.Request, res: express.Response, next: express.NextFunction): void; protected getTokenFromCookie(req: http.IncomingMessage): string | undefined; protected isTokenValid(token: string): boolean; } /** * Creates a new browser connection token. */ export declare function createBrowserConnectionToken(): BrowserConnectionToken; //# sourceMappingURL=browser-connection-token.d.ts.map