forked from Wroclaw/WorkshopTasker
Wroclaw
ebf5690519
previously tokens were only like IDs, time based and incrementing counter. An attacker could easily bruteforce them. This patch changes tokens to be completely random. fixes #2
35 lines
839 B
TypeScript
35 lines
839 B
TypeScript
import { getCookie, H3Event } from "h3";
|
|
|
|
import { database } from "./database";
|
|
import SessionToken from "./SessionToken";
|
|
|
|
import { createError } from "#imports";
|
|
|
|
export default async function getRequestingUser(e: H3Event) {
|
|
const cookie = getCookie(e, "token");
|
|
if (!cookie) throw createError("User not found");
|
|
const { user } = await database.session.findUnique({
|
|
where: {
|
|
...SessionToken.fromString(cookie).toPrisma(),
|
|
expiry_date: {
|
|
gte: new Date(),
|
|
},
|
|
},
|
|
select: {
|
|
user: {
|
|
select: {
|
|
display_name: true,
|
|
email: true,
|
|
id: true,
|
|
username: true,
|
|
},
|
|
},
|
|
},
|
|
}).then((e) => {
|
|
if (e === null) throw createError("User not found");
|
|
return e;
|
|
});
|
|
|
|
if (!user) throw createError("User not found");
|
|
return user;
|
|
}
|