a tool for shared writing and social publishing
add timestamp to tokens and decode uri encoded strings
+20
-10
+20
-10
middleware.ts
+20
-10
middleware.ts
···
42
42
let pub = routes?.publication_domains[0]?.publications;
43
43
if (pub) {
44
44
let cookie = req.cookies.get("external_auth_token");
45
-
if (!cookie) {
45
+
if (!cookie && !hostname.includes("leaflet.pub")) {
46
46
return initiateAuthCallback(req);
47
47
}
48
48
let aturi = new AtUri(pub?.uri);
···
67
67
}
68
68
}
69
69
70
-
type CROSS_SITE_AUTH_REQUEST = { redirect: string };
71
-
type CROSS_SITE_AUTH_RESPONSE = { redirect: string; auth_token: string | null };
70
+
type CROSS_SITE_AUTH_REQUEST = { redirect: string; ts: string };
71
+
type CROSS_SITE_AUTH_RESPONSE = {
72
+
redirect: string;
73
+
auth_token: string | null;
74
+
ts: string;
75
+
};
72
76
async function initiateAuthCallback(req: NextRequest) {
73
-
let token: CROSS_SITE_AUTH_REQUEST = { redirect: req.url };
77
+
let token: CROSS_SITE_AUTH_REQUEST = {
78
+
redirect: req.url,
79
+
ts: new Date().toISOString(),
80
+
};
74
81
let payload = btoa(JSON.stringify(token));
75
82
let signature = await signCrossSiteToken(payload);
76
83
return NextResponse.redirect(
···
82
89
let payload = req.nextUrl.searchParams.get("payload");
83
90
let signature = req.nextUrl.searchParams.get("signature");
84
91
85
-
if (typeof payload !== "string")
92
+
if (typeof payload !== "string" || typeof signature !== "string")
86
93
return new NextResponse(null, { status: 401 });
87
94
88
-
let verifySig = await signCrossSiteToken(payload);
89
-
if (verifySig !== signature) return new NextResponse(null, { status: 401 });
95
+
let verifySig = await signCrossSiteToken(decodeURIComponent(payload));
96
+
if (verifySig !== decodeURIComponent(signature))
97
+
return new NextResponse(null, { status: 401 });
90
98
91
99
let token: CROSS_SITE_AUTH_REQUEST = JSON.parse(atob(payload));
92
100
let auth_token = req.cookies.get("auth_token")?.value || null;
···
94
102
let response_token: CROSS_SITE_AUTH_RESPONSE = {
95
103
redirect: token.redirect,
96
104
auth_token,
105
+
ts: new Date().toISOString(),
97
106
};
98
107
99
108
let response_payload = btoa(JSON.stringify(response_token));
···
107
116
let payload = req.nextUrl.searchParams.get("payload");
108
117
let signature = req.nextUrl.searchParams.get("signature");
109
118
110
-
if (typeof payload !== "string")
119
+
if (typeof payload !== "string" || typeof signature !== "string")
111
120
return new NextResponse(null, { status: 401 });
112
121
113
-
let verifySig = await signCrossSiteToken(payload);
114
-
if (verifySig !== signature) return new NextResponse(null, { status: 401 });
122
+
let verifySig = await signCrossSiteToken(decodeURIComponent(payload));
123
+
if (verifySig !== decodeURIComponent(signature))
124
+
return new NextResponse(null, { status: 401 });
115
125
116
126
let token: CROSS_SITE_AUTH_RESPONSE = JSON.parse(atob(payload));
117
127