make cookie a bit more secure - fixes #445
We can't make the cookie `HttpOnly` because we're setting it from Javascript, but I'm not sure it's worth the trouble to redesign that: `JSON.parse(localStorage.account).token` gives you the token anyway, hiding the cookie from JS won't offer much protection. At least we can mark is `Secure` (meaning, only send it over HTTPS) and _delete it on logout_ (it wasn't!)
This commit is contained in:
parent
d1f0fc6d5d
commit
6826e43ad7
@ -43,6 +43,7 @@ export async function signout() {
|
|||||||
waiting();
|
waiting();
|
||||||
miLocalStorage.removeItem('account');
|
miLocalStorage.removeItem('account');
|
||||||
await removeAccount($i.id);
|
await removeAccount($i.id);
|
||||||
|
document.cookie = `token=; path=/; max-age=0${ location.protocol === 'https:' ? '; Secure' : ''}`;
|
||||||
const accounts = await getAccounts();
|
const accounts = await getAccounts();
|
||||||
|
|
||||||
//#region Remove service worker registration
|
//#region Remove service worker registration
|
||||||
@ -200,7 +201,7 @@ export async function login(token: Account['token'], redirect?: string) {
|
|||||||
throw reason;
|
throw reason;
|
||||||
});
|
});
|
||||||
miLocalStorage.setItem('account', JSON.stringify(me));
|
miLocalStorage.setItem('account', JSON.stringify(me));
|
||||||
document.cookie = `token=${token}; path=/; max-age=31536000`; // bull dashboardの認証とかで使う
|
document.cookie = `token=${token}; path=/; max-age=31536000${ location.protocol === 'https:' ? '; Secure' : ''}`; // bull dashboardの認証とかで使う
|
||||||
await addAccount(me.id, token);
|
await addAccount(me.id, token);
|
||||||
|
|
||||||
if (redirect) {
|
if (redirect) {
|
||||||
|
Loading…
Reference in New Issue
Block a user