Delete token upon each Google redirect and rename to 'token' to 'TOKEN'

Widen · Dec 29, 2017 · e798819 · e798819
1 parent 079b08d
commit e798819
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 3 deletions.
diff --git a/README.md b/README.md
@@ -4,7 +4,7 @@ Google authentication for [CloudFront](https://aws.amazon.com/cloudfront/) using
 Developed as per [Google's OpenID Connect](https://developers.google.com/identity/protocols/OpenIDConnect)
 
 # Description
-`cloudfront-google-auth` follows the OpenID Connect spec as described in [Google's documentation](https://developers.google.com/identity/protocols/OpenIDConnect). Upon successful authentication, a cookie (named `token`) with the value of the [OpenId JWT response](https://developers.google.com/identity/protocols/OpenIDConnect#obtainuserinfo) is set and the user redirected back to the orginally requested path. This JWT cookie is checked for validity (signature, expiration date and matching hosted domain) upon each request and `cloudfront-google-auth` will redirect the user to Google login when necessary.
+`cloudfront-google-auth` follows the OpenID Connect spec as described in [Google's documentation](https://developers.google.com/identity/protocols/OpenIDConnect). Upon successful authentication, a cookie (named `TOKEN`) with the value of the [OpenId JWT response](https://developers.google.com/identity/protocols/OpenIDConnect#obtainuserinfo) is set and the user redirected back to the orginally requested path. This JWT cookie is checked for validity (signature, expiration date and matching hosted domain) upon each request and `cloudfront-google-auth` will redirect the user to Google login when necessary.
 
 # Usage
 1. If your CloudFront distribution is pointed at an S3 bucket, [configure origin access identity](http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html#private-content-creating-oai-console) so S3 objects can be stored with private permissions

diff --git a/index.js b/index.js
@@ -73,7 +73,7 @@ function processRequest(event, context, callback) {
                 }],
                 'set-cookie' : [{
                   key: 'Set-Cookie',
-                  value : cookie.serialize('token', parsedData.id_token)
+                  value : cookie.serialize('TOKEN', parsedData.id_token)
                 }],
               },
             };
@@ -93,7 +93,7 @@ function processRequest(event, context, callback) {
     req.write(postData);
     req.end();
   } else if ("cookie" in headers
-              && "token" in cookie.parse(headers["cookie"][0].value)) {
+              && "TOKEN" in cookie.parse(headers["cookie"][0].value)) {
     var token = jwt.decode(cookie.parse(headers["cookie"][0].value).token, {complete: true});
 
     // Search for correct JWK from discovery document and create PEM
@@ -147,6 +147,10 @@ function redirectToGoogleLogin(request, callback) {
             key: 'Location',
             value: discoveryDocument.authorization_endpoint + "?" + querystring
          }],
+         'set-cookie' : [{
+           key: 'Set-Cookie',
+           value : cookie.serialize('token', '', { path: '/', expires: new Date(1970, 1, 1, 0, 0, 0, 0) })
+         }],
     },
   };
   callback(null, response);