@theia/core
Version:
Theia is a cloud & desktop IDE framework implemented in TypeScript.
46 lines • 2.41 kB
TypeScript
import * as http from 'http';
import express = require('express');
import { MaybePromise } from '../../common';
import { BackendApplicationContribution, EarlyExpressMiddleware } from '../backend-application';
import { WsRequestValidatorContribution } from '../ws-request-validators';
export declare const BrowserConnectionToken: unique symbol;
export declare const BROWSER_TOKEN_COOKIE_NAME = "theia-connection-token";
export interface BrowserConnectionToken {
value: string;
}
/**
* Validates WebSocket and HTTP requests using a cookie-based connection token.
*
* In browser deployments, the server generates a random token at startup and sets it
* as a `SameSite=Strict; HttpOnly` cookie on the first page load. Cross-origin pages
* cannot obtain or send this cookie, so their requests are rejected.
*
* This complements the origin validator: non-browser callers that omit the Origin
* header (e.g. Node.js scripts) still cannot reach the backend without the cookie.
*
* Skipped in Electron deployments (which use their own `ElectronSecurityToken`).
*/
export declare class BrowserConnectionTokenBackendContribution implements BackendApplicationContribution, WsRequestValidatorContribution {
protected readonly browserConnectionToken: BrowserConnectionToken;
protected readonly earlyMiddleware: EarlyExpressMiddleware;
/**
* Register the cookie middleware during `initialize()` via `EarlyExpressMiddleware`
* so it runs before `express.static()` (which is registered later during `configure()`).
* This ensures the browser receives the token cookie on the initial page load.
*/
initialize(): void;
/**
* Validate the connection token cookie on WebSocket upgrade requests.
* Non-browser callers that omit the Origin header (e.g. Node.js scripts)
* cannot provide the `SameSite=Strict` cookie either, so they are rejected.
*/
allowWsUpgrade(request: http.IncomingMessage): MaybePromise<boolean>;
protected expressMiddleware(req: express.Request, res: express.Response, next: express.NextFunction): void;
protected getTokenFromCookie(req: http.IncomingMessage): string | undefined;
protected isTokenValid(token: string): boolean;
}
/**
* Creates a new browser connection token.
*/
export declare function createBrowserConnectionToken(): BrowserConnectionToken;
//# sourceMappingURL=browser-connection-token.d.ts.map