Only refresh cookie on post (#606)
Browse files- src/hooks.server.ts +16 -13
src/hooks.server.ts
CHANGED
@@ -51,20 +51,25 @@ export const handle: Handle = async ({ event, resolve }) => {
|
|
51 |
"application/x-www-form-urlencoded",
|
52 |
"text/plain",
|
53 |
];
|
54 |
-
if (event.request.method === "POST" && nativeFormContentTypes.includes(requestContentType)) {
|
55 |
-
const referer = event.request.headers.get("referer");
|
56 |
|
57 |
-
|
58 |
-
|
59 |
-
|
|
|
|
|
|
|
|
|
|
|
|
|
60 |
|
61 |
-
|
62 |
-
|
63 |
-
|
64 |
-
|
65 |
|
66 |
-
|
67 |
-
|
|
|
68 |
}
|
69 |
}
|
70 |
|
@@ -100,8 +105,6 @@ export const handle: Handle = async ({ event, resolve }) => {
|
|
100 |
}
|
101 |
}
|
102 |
|
103 |
-
refreshSessionCookie(event.cookies, event.locals.sessionId);
|
104 |
-
|
105 |
let replaced = false;
|
106 |
|
107 |
const response = await resolve(event, {
|
|
|
51 |
"application/x-www-form-urlencoded",
|
52 |
"text/plain",
|
53 |
];
|
|
|
|
|
54 |
|
55 |
+
if (event.request.method === "POST") {
|
56 |
+
refreshSessionCookie(event.cookies, event.locals.sessionId);
|
57 |
+
|
58 |
+
if (nativeFormContentTypes.includes(requestContentType)) {
|
59 |
+
const referer = event.request.headers.get("referer");
|
60 |
+
|
61 |
+
if (!referer) {
|
62 |
+
return errorResponse(403, "Non-JSON form requests need to have a referer");
|
63 |
+
}
|
64 |
|
65 |
+
const validOrigins = [
|
66 |
+
new URL(event.request.url).origin,
|
67 |
+
...(PUBLIC_ORIGIN ? [new URL(PUBLIC_ORIGIN).origin] : []),
|
68 |
+
];
|
69 |
|
70 |
+
if (!validOrigins.includes(new URL(referer).origin)) {
|
71 |
+
return errorResponse(403, "Invalid referer for POST request");
|
72 |
+
}
|
73 |
}
|
74 |
}
|
75 |
|
|
|
105 |
}
|
106 |
}
|
107 |
|
|
|
|
|
108 |
let replaced = false;
|
109 |
|
110 |
const response = await resolve(event, {
|