This commit is contained in:
Benjamin Toby 2024-12-14 16:23:16 +01:00
parent 901492f5e2
commit 0880526f44
7 changed files with 21 additions and 8 deletions

View File

@ -1,5 +1,5 @@
export = clientFetch;
declare function clientFetch(url: string, options?: import("../../package-shared/types").FetchApiOptions, contentType?: "json" | "text" | "html" | "blob" | "file"): Promise<any>;
declare function clientFetch(url: string, options?: import("../../package-shared/types").FetchApiOptions, csrf?: boolean): Promise<any>;
declare namespace clientFetch {
export { clientFetch as fetchApi };
}

View File

@ -3,7 +3,7 @@
const _ = require("lodash");
/** @type {import("../../package-shared/types").FetchApiFn} */
async function clientFetch(url, options, contentType) {
async function clientFetch(url, options, csrf) {
let data;
let finalUrl = url;

View File

@ -885,7 +885,7 @@ export type CheckApiCredentialsFnParam = {
table?: string;
user_id?: string | number;
};
export type FetchApiFn = (url: string, options?: FetchApiOptions, contentType?: "json" | "text" | "html" | "blob" | "file") => Promise<any>;
export type FetchApiFn = (url: string, options?: FetchApiOptions, csrf?: boolean) => Promise<any>;
export type FetchApiOptions = RequestInit & {
method: "POST" | "GET" | "DELETE" | "PUT" | "PATCH" | "post" | "get" | "delete" | "put" | "patch";
body?: object | string;

View File

@ -1049,7 +1049,7 @@ export type CheckApiCredentialsFnParam = {
export type FetchApiFn = (
url: string,
options?: FetchApiOptions,
contentType?: "json" | "text" | "html" | "blob" | "file"
csrf?: boolean
) => Promise<any>;
export type FetchApiOptions = RequestInit & {

View File

@ -1,6 +1,6 @@
{
"name": "@moduletrace/datasquirel",
"version": "3.1.2",
"version": "3.1.3",
"description": "Cloud-based SQL data management tool",
"main": "index.js",
"bin": {

View File

@ -16,10 +16,12 @@ export = userAuth;
* @param {string} [params.database] - Database Name (slug)
* @param {string | number} [params.dsqlUserId] - alt env: DSQL_API_USER_ID
* @param {number} [params.expiry] - Expiry time in milliseconds
* @param {string} [params.csrfHeaderName] - Optional. CSRF Header Name
* @param {boolean} [params.csrfHeaderIsValue] - If the csrf value is the name of the request http header
*
* @returns { import("../package-shared/types").AuthenticatedUser }
*/
declare function userAuth({ request, req, encryptionKey, encryptionSalt, level, database, dsqlUserId, encryptedUserString, expiry, cookieString, }: {
declare function userAuth({ request, req, encryptionKey, encryptionSalt, level, database, dsqlUserId, encryptedUserString, expiry, cookieString, csrfHeaderIsValue, csrfHeaderName, }: {
request?: http.IncomingMessage & {
[x: string]: any;
};
@ -34,5 +36,7 @@ declare function userAuth({ request, req, encryptionKey, encryptionSalt, level,
database?: string;
dsqlUserId?: string | number;
expiry?: number;
csrfHeaderName?: string;
csrfHeaderIsValue?: boolean;
}): import("../package-shared/types").AuthenticatedUser;
import http = require("http");

View File

@ -32,6 +32,8 @@ const yearInMilliseconds = dayInMilliseconds * 365;
* @param {string} [params.database] - Database Name (slug)
* @param {string | number} [params.dsqlUserId] - alt env: DSQL_API_USER_ID
* @param {number} [params.expiry] - Expiry time in milliseconds
* @param {string} [params.csrfHeaderName] - Optional. CSRF Header Name
* @param {boolean} [params.csrfHeaderIsValue] - If the csrf value is the name of the request http header
*
* @returns { import("../package-shared/types").AuthenticatedUser }
*/
@ -46,6 +48,8 @@ function userAuth({
encryptedUserString,
expiry = weekInMilliseconds,
cookieString,
csrfHeaderIsValue,
csrfHeaderName,
}) {
try {
const finalEncryptionKey =
@ -127,12 +131,17 @@ function userAuth({
*/
if (
level?.match(/deep/i) &&
!csrf?.match(new RegExp(`${userObject.csrf_k}`))
((csrfHeaderName &&
req?.headers[csrfHeaderName] !== userObject.csrf_k &&
request?.headers[csrfHeaderName] !== userObject.csrf_k) ||
(csrfHeaderIsValue &&
!req?.headers[userObject.csrf_k] &&
!request?.headers[userObject.csrf_k]))
) {
return {
success: false,
payload: null,
msg: "CSRF_K requested but does not match payload",
msg: "CSRF_K mismatch",
};
}