[-] Security - Do not pass session token in query params while downloading collections records (#309)

Author: arnaudbesnier

CHANGELOG.md

@@ -1,6 +1,8 @@
 # Change Log
 
 ## [Unreleased]
+### Changed
+- Security - Do not pass session token in query params while downloading collections records.
 
 ## RELEASE 3.0.0-beta.14 - 2019-03-01
 ### Fixed

app/controllers/forest_liana/application_controller.rb

@@ -3,6 +3,8 @@
 
 module ForestLiana
   class ApplicationController < ForestLiana::BaseController
+    REGEX_COOKIE_SESSION_TOKEN = /sessionToken=(.*);?/;
+
     def self.papertrail?
       Object.const_get('PaperTrail::Version').is_a?(Class) rescue false
     end
@@ -56,11 +58,13 @@ def serialize_models(records, options = {}, fields_searched = [])
 
     def authenticate_user_from_jwt
       begin
-        if request.headers['Authorization'] || params['sessionToken']
+        if request.headers
           if request.headers['Authorization']
             token = request.headers['Authorization'].split.second
-          else
-            token = params['sessionToken']
+          # NOTICE: Necessary for downloads authentication.
+          elsif request.headers['cookie']
+            match = REGEX_COOKIE_SESSION_TOKEN.match(request.headers['cookie'])
+            token = match[1] if match && match[1]
           end
 
           @jwt_decoded_token = JWT.decode(token, ForestLiana.auth_secret, true,