Skip to content

Commit 4d0c094

Browse files
RubenVerborghRubenVerborgh
committed
Allow session to reach auth handlers.
Otherwise, third-party origins cannot log the user out.
1 parent f74b287 commit 4d0c094

File tree

1 file changed

+20
-18
lines changed

1 file changed

+20
-18
lines changed

lib/create-app.js

Lines changed: 20 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -164,24 +164,7 @@ function initWebId (argv, app, ldp) {
164164
// (for same-domain browsing by people only)
165165
const useSecureCookies = !!argv.sslKey // use secure cookies when over HTTPS
166166
const sessionHandler = session(sessionSettings(useSecureCookies, argv.host))
167-
app.use((req, res, next) => {
168-
sessionHandler(req, res, () => {
169-
// Reject cookies from third-party applications.
170-
// Otherwise, when a user is logged in to their Solid server,
171-
// any third-party application could perform authenticated requests
172-
// without permission by including the credentials set by the Solid server.
173-
const origin = req.headers.origin
174-
const userId = req.session.userId
175-
if (!argv.host.allowsSessionFor(userId, origin)) {
176-
debug(`Rejecting session for ${userId} from ${origin}`)
177-
// Destroy session data
178-
delete req.session.userId
179-
// Ensure this modified session is not saved
180-
req.session.save = (done) => done()
181-
}
182-
next()
183-
})
184-
})
167+
app.use(sessionHandler)
185168

186169
let accountManager = AccountManager.from({
187170
authMethod: argv.auth,
@@ -200,6 +183,25 @@ function initWebId (argv, app, ldp) {
200183
// Set up authentication-related API endpoints and app.locals
201184
initAuthentication(app, argv)
202185

186+
// Protect against requests from third-party applications
187+
app.use((req, res, next) => {
188+
// Reject cookies from third-party applications.
189+
// Otherwise, when a user is logged in to their Solid server,
190+
// any third-party application could perform authenticated requests
191+
// without permission by including the credentials set by the Solid server.
192+
const origin = req.headers.origin
193+
const userId = req.session.userId
194+
if (!argv.host.allowsSessionFor(userId, origin)) {
195+
debug(`Rejecting session for ${userId} from ${origin}`)
196+
// Destroy session data
197+
delete req.session.userId
198+
// Ensure this modified session is not saved
199+
req.session.save = done => done()
200+
}
201+
next()
202+
})
203+
204+
// Set up per-host LDP middleware
203205
if (argv.multiuser) {
204206
app.use(vhost('*', LdpMiddleware(corsSettings)))
205207
}

0 commit comments

Comments
 (0)