Skip to content

Commit e3050b9

Browse files
RubenVerborghRubenVerborgh
committed
Revert "Allow session to reach auth handlers."
This reverts commit 4d0c094.
1 parent 0170a22 commit e3050b9

File tree

1 file changed

+18
-20
lines changed

1 file changed

+18
-20
lines changed

lib/create-app.js

Lines changed: 18 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -168,7 +168,24 @@ function initWebId (argv, app, ldp) {
168168
// (for same-domain browsing by people only)
169169
const useSecureCookies = !!argv.sslKey // use secure cookies when over HTTPS
170170
const sessionHandler = session(sessionSettings(useSecureCookies, argv.host))
171-
app.use(sessionHandler)
171+
app.use((req, res, next) => {
172+
sessionHandler(req, res, () => {
173+
// Reject cookies from third-party applications.
174+
// Otherwise, when a user is logged in to their Solid server,
175+
// any third-party application could perform authenticated requests
176+
// without permission by including the credentials set by the Solid server.
177+
const origin = req.headers.origin
178+
const userId = req.session.userId
179+
if (!argv.host.allowsSessionFor(userId, origin)) {
180+
debug(`Rejecting session for ${userId} from ${origin}`)
181+
// Destroy session data
182+
delete req.session.userId
183+
// Ensure this modified session is not saved
184+
req.session.save = (done) => done()
185+
}
186+
next()
187+
})
188+
})
172189

173190
let accountManager = AccountManager.from({
174191
authMethod: argv.auth,
@@ -187,25 +204,6 @@ function initWebId (argv, app, ldp) {
187204
// Set up authentication-related API endpoints and app.locals
188205
initAuthentication(app, argv)
189206

190-
// Protect against requests from third-party applications
191-
app.use((req, res, next) => {
192-
// Reject cookies from third-party applications.
193-
// Otherwise, when a user is logged in to their Solid server,
194-
// any third-party application could perform authenticated requests
195-
// without permission by including the credentials set by the Solid server.
196-
const origin = req.headers.origin
197-
const userId = req.session.userId
198-
if (!argv.host.allowsSessionFor(userId, origin)) {
199-
debug(`Rejecting session for ${userId} from ${origin}`)
200-
// Destroy session data
201-
delete req.session.userId
202-
// Ensure this modified session is not saved
203-
req.session.save = done => done()
204-
}
205-
next()
206-
})
207-
208-
// Set up per-host LDP middleware
209207
if (argv.multiuser) {
210208
app.use(vhost('*', LdpMiddleware(corsSettings)))
211209
}

0 commit comments

Comments
 (0)