smc-hub
Version:
CoCalc: Backend webserver component
57 lines • 2.17 kB
JavaScript
;
/*
In the interest of security and "XSS", we strip the "remember_me" cookie
from the header before passing anything along via the proxy.
The reason this is important is that it's critical that the project (and
nothing running in the project) can get access to a user's auth cookie.
I.e., malicious code running in a project shouldn't be able to steal
auth credentials for all users of a project!
*/
var __values = (this && this.__values) || function(o) {
var s = typeof Symbol === "function" && Symbol.iterator, m = s && o[s], i = 0;
if (m) return m.call(o);
if (o && typeof o.length === "number") return {
next: function () {
if (o && i >= o.length) o = void 0;
return { value: o && o[i++], done: !o };
}
};
throw new TypeError(s ? "Object is not iterable." : "Symbol.iterator is not defined.");
};
Object.defineProperty(exports, "__esModule", { value: true });
var auth_1 = require("../auth");
function stripRememberMeCookie(cookie) {
var e_1, _a;
if (cookie == null) {
return { cookie: cookie, remember_me: undefined };
}
else {
var v = [];
var remember_me = undefined;
try {
for (var _b = __values(cookie.split(";")), _c = _b.next(); !_c.done; _c = _b.next()) {
var c = _c.value;
var z = c.split("=");
if (z[0].trim() == auth_1.remember_me_cookie_name()) {
// save it but do not include it in v, which will
// be the new cookies values after going through
// the proxy.
remember_me = z[1].trim();
}
else {
v.push(c);
}
}
}
catch (e_1_1) { e_1 = { error: e_1_1 }; }
finally {
try {
if (_c && !_c.done && (_a = _b.return)) _a.call(_b);
}
finally { if (e_1) throw e_1.error; }
}
return { cookie: v.join(";"), remember_me: remember_me };
}
}
exports.default = stripRememberMeCookie;
//# sourceMappingURL=strip-remember-me-cookie.js.map