This repository has been archived by the owner on May 10, 2019. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 264
/
session_context.js
61 lines (53 loc) · 1.91 KB
/
session_context.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
const
db = require('../db.js'),
logger = require('../logging.js').logger,
crypto = require('crypto'),
wsapi = require('../wsapi.js'),
secrets = require('../secrets.js');
// return the CSRF token, authentication status, and current server time (for assertion signing)
// 2011-12-22: adding a random seed for keygen
// IMPORTANT: this is safe because it's only readable by same-origin code
exports.method = 'get';
exports.writes_db = false;
exports.authed = false;
// determine the domain key creation date - issue #599
const domainKeyCreationDate = secrets.publicKeyCreationDate();
logger.debug("domain key was created at " + domainKeyCreationDate + " (certs issued prior to this are bogus)");
exports.process = function(req, res) {
if (typeof req.session == 'undefined') {
req.session = {};
}
if (typeof req.session.csrf == 'undefined') {
// more random CSRF
// FIXME: async?
req.session.csrf = crypto.randomBytes(16).toString('base64');
logger.debug("NEW csrf token created: " + req.session.csrf);
}
var auth_status = false;
function sendResponse() {
res.json({
csrf_token: req.session.csrf,
server_time: (new Date()).getTime(),
authenticated: auth_status,
domain_key_creation_time: domainKeyCreationDate.getTime(),
random_seed: crypto.randomBytes(32).toString('base64')
});
};
// if they're authenticated for an email address that we don't know about,
// then we should purge the stored cookie
if (!wsapi.isAuthed(req)) {
logger.debug("user is not authenticated");
sendResponse();
} else {
db.emailKnown(req.session.authenticatedUser, function (known) {
if (!known) {
logger.debug("user is authenticated with an email that doesn't exist in the database");
wsapi.clearAuthenticatedUser(req.session);
} else {
logger.debug("user is authenticated");
auth_status = true;
}
sendResponse();
});
}
};