UNPKG

supakit

Version:

A Supabase auth helper for SvelteKit. Relies on browser cookies.

github.com/j4w8n/supakit

j4w8n/supakit

75 lines (74 loc) 3.69 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
import { getCookieOptions } from '../config/index.js'; import { json } from "@sveltejs/kit"; import { csrf_check } from '../utils.js'; export const cookies = (async ({ event, resolve }) => { const { url, request, cookies } = event; const cookie_options = getCookieOptions(); if (url.pathname === '/supakitCSRF') { const forbidden = csrf_check(event); if (forbidden) return forbidden; if (request.method === 'POST') { const data = request.body ? await request.json() : {}; if (!data.token && !data.name) return new Response('Invalid body.', { status: 400 }); const token = data.token; const cookie_name = data.name; const response = new Response(null); response.headers.append('set-cookie', cookies.serialize(`sb-${cookie_name}-csrf`, token)); return response; } return new Response(null, { status: 401 }); } /* Handle request to Supakit's cookie route */ if (url.pathname === '/supakit') { const forbidden = csrf_check(event); if (forbidden) return forbidden; const cookie_name = request.headers.get('x-csrf-name') ?? false; const cookie = cookies.get(`sb-${cookie_name}-csrf`) ?? false; const token = request.headers.get('x-csrf-token') ?? false; if (!cookie || !token) return new Response('No CSRF cookie or token', { status: 401 }); if (cookie != token) return new Response('CSRF cookie and token do not match', { status: 401 }); if (request.method === 'GET') { const key = request.headers.get('x-storage-key') ?? ''; const response = json({ cookie: cookies.get(key) ?? null }); return response; } if (request.method === 'POST') { const body = request.body ? await request.json() : null; if (body) { const response = new Response(null); response.headers.append('set-cookie', cookies.serialize(body.key, body.value, cookie_options)); if (body.value.provider_token) response.headers.append('set-cookie', cookies.serialize('sb-provider-token', JSON.stringify(body.value.provider_token), cookie_options)); if (body.value.provider_refresh_token) response.headers.append('set-cookie', cookies.serialize('sb-provider-refresh-token', JSON.stringify(body.value.provider_refresh_token), cookie_options)); return response; } else { return new Response('Invalid body.', { status: 400 }); } } if (request.method === 'DELETE') { const body = request.body ? await request.json() : null; const expire_options = { ...cookie_options, maxAge: -1 }; const response = new Response(null, { status: 204 }); response.headers.append('set-cookie', cookies.serialize(body.key, '', expire_options)); if (cookies.get('sb-provider-token')) response.headers.append('set-cookie', cookies.serialize('sb-provider-token', '', expire_options)); if (cookies.get('sb-provider-refresh-token')) response.headers.append('set-cookie', cookies.serialize('sb-provider-refresh-token', '', expire_options)); return response; } return new Response(null, { status: 401 }); } return await resolve(event); });