improve session_id management, use state instead of query

Author: CodeShellDev

src/auth.js

@@ -12,7 +12,7 @@ import { logger } from "./utils/logger.js"
 
 import {
 	redisClient,
-	GetFromCache,
+	ReadFromCache,
 	WriteToCache,
 	DeleteFromCache,
 } from "./db.js"
@@ -112,8 +112,18 @@ function registerOauth() {
 	router.use(passport.session())
 
 	router.get("/", async (req, res, next) => {
-		if (req.query.session_id) {
-			res.cookie("session_id", req.query.session_id, {
+		// auth.com => app.com
+		if (req.query.state) {
+			const state = req.query.state
+
+			const sessionID = await ReadFromCache(`oauth_state=${state}`)
+			if (!sessionID) {
+				return res.status(400).send("Invalid or expired oauth state")
+			}
+
+			await DeleteFromCache(`oauth_state=${state}`)
+
+			res.cookie("session_id", sessionID, {
 				domain: redirectURL.hostname,
 				httpOnly: true,
 				secure: true,
@@ -122,18 +132,22 @@ function registerOauth() {
 			})
 		}
 
+		// entry.com => app.com
 		if (req.hostname !== redirectURL.hostname) {
 			const originalUrl = getOriginalUrl(req)
-
-			logger.debug("Cached original url: " + originalUrl)
+			logger.debug("Cached entrypoint: " + originalUrl)
 
 			const sessionID = uuidv4()
+			const state = uuidv4()
 
 			await WriteToCache(`service=${sessionID}`, originalUrl)
 
-			return res.redirect(`${redirectURL.origin}/?session_id=${sessionID}`)
+			await WriteToCache(`oauth_state=${state}`, sessionID, { expire: 600 })
+
+			return res.redirect(`${redirectURL.origin}/?state=${state}`)
 		}
 
+		// app.com => auth.com
 		if (!req.isAuthenticated()) {
 			return res.redirect("/auth")
 		}

src/db.js

@@ -19,22 +19,26 @@ export async function Init() {
 	logger.debug("Connected to Redis")
 }
 
-export async function GetFromCache(key, { hash = false } = {}) {
+export async function ReadFromCache(key, { hash = false } = {}) {
 	if (hash) {
 		return await redisClient.hGetAll(key)
 	} else {
 		return await redisClient.get(key)
 	}
 }
 
-export async function WriteToCache(key, value, { hash = false } = {}) {
+export async function WriteToCache(
+	key,
+	value,
+	{ hash = false, expire = 3600 } = {}
+) {
 	if (hash) {
 		await redisClient.hSet(key, value)
 	} else {
 		await redisClient.set(key, value)
 	}
 
-	await redisClient.expire(key, 3600)
+	await redisClient.expire(key, expire)
 }
 
 export async function DeleteFromCache(key, { hash = false } = {}) {

src/wol.js

@@ -7,7 +7,7 @@ import { ENV } from "./env.js"
 import request from "./utils/request.js"
 
 import * as wss from "./wss.js"
-import { GetFromCache, DeleteFromCache } from "./db.js"
+import { ReadFromCache, DeleteFromCache } from "./db.js"
 
 const router = express.Router()
 
@@ -335,7 +335,7 @@ async function startProcessing(req, res) {
 	}
 
 	const key = `service=${sessionID}`
-	const originalUrl = await GetFromCache(key)
+	const originalUrl = await ReadFromCache(key)
 
 	await DeleteFromCache(key)
 
@@ -441,11 +441,11 @@ export function Router() {
 }
 
 router.get("/", async (req, res, next) => {
-	if (!req.session) {
-		return res.status(500).send("Bad Request: Missing session_id")
+	if (!req.cookies.session_id) {
+		return res.redirect("/auth")
 	}
 
-	const serviceUrl = await GetFromCache(`service=${req.query.session_id}`)
+	const serviceUrl = await ReadFromCache(`service=${req.cookies.session_id}`)
 
 	return res.render("home", {
 		user: {