3pp-mirror/rallly
1
0
Fork 0
mirror of https://github.com/lukevella/rallly.git synced 2025-04-29 02:06:34 +02:00
Code Issues Projects Releases Packages Wiki Activity

🐛 Fix issue where verification links would automatically get consumed by link checkers (#1060)

Browse source 
* 🧹 Remove legacy code

* ♻️ Handle HEAD requests to auth endpoint

Avoid link checkers from accidentally consuming verification links and preventing users from logging in
This commit is contained in:
Luke Vella 2024-03-15 10:00:26 +07:00 committed by GitHub
parent e8911583df
commit 113239c546
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 10 additions and 35 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
apps/web/src/pages/api/auth/[...nextauth].ts
View file

@ -1,3 +1,11 @@
import type { NextApiRequest, NextApiResponse } from "next";
import { AuthApiRoute } from "@/utils/auth";
export default AuthApiRoute;
export default async function auth(req: NextApiRequest, res: NextApiResponse) {
if (req.method === "HEAD") {
return res.status(200).end();
}
return AuthApiRoute(req, res);
}

35
apps/web/src/utils/auth.ts
View file

@ -2,14 +2,12 @@ import { RegistrationTokenPayload } from "@rallly/backend";
import { decryptToken } from "@rallly/backend/session";
import { generateOtp, randomid } from "@rallly/backend/utils/nanoid";
import { prisma } from "@rallly/database";
import cookie from "cookie";
import { IronSession, unsealData } from "iron-session";
import {
GetServerSidePropsContext,
NextApiRequest,
NextApiResponse,
} from "next";
import { NextAuthOptions, RequestInternal } from "next-auth";
import { NextAuthOptions } from "next-auth";
import NextAuth, {
getServerSession as getServerSessionWithOptions,
} from "next-auth/next";
@ -318,34 +316,3 @@ export const isEmailBlocked = (email: string) => {
}
return false;
};
export const legacySessionConfig = {
password: process.env.SECRET_PASSWORD ?? "",
cookieName: "rallly-session",
cookieOptions: {
secure: process.env.NEXT_PUBLIC_BASE_URL?.startsWith("https://") ?? false,
},
ttl: 60 * 60 * 24 * 30, // 30 days
};
export const getUserFromLegacySession = async (
req: Pick<RequestInternal, "headers">,
) => {
const parsedCookie = cookie.parse(req.headers?.cookie);
if (parsedCookie[legacySessionConfig.cookieName]) {
try {
const session = await unsealData<IronSession>(
parsedCookie[legacySessionConfig.cookieName],
{
password: process.env.SECRET_PASSWORD,
},
);
if (session.user) {
return session.user;
}
} catch (e) {
return null;
}
}
return null;
};