[BREAKING] Auth: replace current auth tokens with more secure ones
previously tokens were only like IDs, time based and incrementing counter. An attacker could easily bruteforce them. This patch changes tokens to be completely random. fixes #2
This commit is contained in:
parent
434ae5843e
commit
ebf5690519
5 changed files with 72 additions and 15 deletions
|
|
@ -1,9 +1,11 @@
|
|||
import { defineEventHandler, getCookie } from "h3";
|
||||
import { createError } from "#imports";
|
||||
import SessionToken from "../utils/SessionToken";
|
||||
|
||||
import { database } from "~/server/utils/database";
|
||||
import getRequestingUser from "~/server/utils/getRequestingUser";
|
||||
|
||||
import { createError } from "#imports";
|
||||
|
||||
const endpointsWithoutAuth: string[] = [
|
||||
"/dbtest",
|
||||
"/echo",
|
||||
|
|
@ -37,7 +39,10 @@ export async function isAuthorised(token: string | undefined): Promise<boolean>
|
|||
try {
|
||||
await database.session.findUniqueOrThrow({
|
||||
where: {
|
||||
id: BigInt(token),
|
||||
...SessionToken.fromString(token).toPrisma(),
|
||||
expiry_date: {
|
||||
gte: new Date(),
|
||||
},
|
||||
},
|
||||
});
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue