ekzyis
/
stacker.news
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix cookie pointer override during account switching (#1783)

This commit is contained in:
ekzyis 2024-12-31 20:05:20 +01:00 committed by GitHub
parent a41d077c21
commit 4623743c8f
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 6 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
pages/api/auth/[...nextauth].js
View File

@ -91,15 +91,14 @@ function getCallbacks (req, res) {
token.sub = Number(token.id) token.sub = Number(token.id)
} }
// response is only defined during signup/login // this only runs during a signup/login because response is only defined during signup/login
// and will add the multi_auth cookies for the user we just logged in as
if (req && res) { if (req && res) {
req = new NodeNextRequest(req) req = new NodeNextRequest(req)
res = new NodeNextResponse(res) res = new NodeNextResponse(res)
const secret = process.env.NEXTAUTH_SECRET const secret = process.env.NEXTAUTH_SECRET
const jwt = await encodeJWT({ token, secret }) const jwt = await encodeJWT({ token, secret })
const me = await prisma.user.findUnique({ where: { id: token.id } }) const me = await prisma.user.findUnique({ where: { id: token.id } })
// we set multi_auth cookies on login/signup with only one user so the rest of the code doesn't
// have to consider the case where they aren't set yet because account switching wasn't used yet
setMultiAuthCookies(req, res, { ...me, jwt }) setMultiAuthCookies(req, res, { ...me, jwt })
} }
@ -165,13 +164,15 @@ async function pubkeyAuth (credentials, req, res, pubkeyColumnName) {
// does the pubkey already exist in our db? // does the pubkey already exist in our db?
let user = await prisma.user.findUnique({ where: { [pubkeyColumnName]: pubkey } }) let user = await prisma.user.findUnique({ where: { [pubkeyColumnName]: pubkey } })
// get token if it exists // make following code aware of cookie pointer for account switching
req = multiAuthMiddleware(req) req = multiAuthMiddleware(req)
// token will be undefined if we're not logged in at all or if we switched to anon
const token = await getToken({ req }) const token = await getToken({ req })
if (!user) { if (!user) {
// we have not seen this pubkey before // we have not seen this pubkey before
// only update our pubkey if we're not currently trying to add a new account // only update our pubkey if we're logged in (token exists)
// and we're not currently trying to add a new account
if (token?.id && !multiAuth) { if (token?.id && !multiAuth) {
user = await prisma.user.update({ where: { id: token.id }, data: { [pubkeyColumnName]: pubkey } }) user = await prisma.user.update({ where: { id: token.id }, data: { [pubkeyColumnName]: pubkey } })
} else { } else {
@ -180,17 +181,6 @@ async function pubkeyAuth (credentials, req, res, pubkeyColumnName) {
} }
} }
if (token && token?.id !== user.id && multiAuth) {
// we're logged in as a different user than the one we're authenticating as
// and we want to add a new account. this means we want to add this account
// to our list of accounts for switching between so we issue a new JWT and
// update the cookies for multi-authentication.
const secret = process.env.NEXTAUTH_SECRET
const userJWT = await encodeJWT({ token: { id: user.id, name: user.name, email: user.email }, secret })
setMultiAuthCookies(req, res, { ...user, jwt: userJWT })
return token
}
return user return user
} }
} catch (error) { } catch (error) {