Pass x-xsrf-token as long as the cookie to the middleware service

a8d396ff · FORESTIER Fabien · 9ca59f13 · a8d396ff · a8d396ff
Commit a8d396ff authored 6 years ago by FORESTIER Fabien
--- a/src/authentication/authentication.controller.ts
+++ b/src/authentication/authentication.controller.ts
@@ -30,12 +30,16 @@ export class AuthenticationController {
  async legacyLogin(@Body() body: LoginForm, @Res() res: Response) {
    try {
      const loginResult = await this._authService.legacyLogin(body);
+
+      const cookieExpiresAt = new Date();
+      cookieExpiresAt.setDate(cookieExpiresAt.getDate() + 7);
+
      res.cookie(
        this._configService.config.accessTokenCookieKey,
        loginResult.jwtToken,
        {
          domain: this._configService.config.cookieDomain,
-          expires: new Date(Date.now() + 900000),
+          expires: cookieExpiresAt,
          httpOnly: true,
          secure: true,
        },
@@ -105,20 +109,24 @@ export class AuthenticationController {
    name: 'Cookie',
    description: 'The JWT token is sent by the browser as a cookie (refer to the config to know which key is used)',
  })
-  @ApiImplicitHeader({ name: 'x-xsrf-token', description: 'Xsrf Token'})
+  @ApiImplicitHeader({ name: 'x-xsrf-token', description: 'Xsrf Token' })
  @ApiResponse({ status: 200, description: 'Success', type: UserInfoUpdateResponse })
  @ApiResponse({ status: 400, description: 'Bad Request (user not found, password incorrect)' })
  @ApiResponse({ status: 500, description: 'Internal error' })
  async updateUserInfo(@Req() req, @Res() res, @Body() userUpdateForm: UserUpdateForm) {
    Logger.log('[-] update user password endpoint');
    try {
-      const updateResult = await this._authService.updateUserInfo(req.cookies.access_token, userUpdateForm);
+      const updateResult = await this._authService.updateUserInfo(req.cookies.access_token, userUpdateForm, req.headers['x-xsrf-token']);
+
+      const cookieExpiresAt = new Date();
+      cookieExpiresAt.setDate(cookieExpiresAt.getDate() + 7);
+
      res.cookie(
        this._configService.config.accessTokenCookieKey,
        updateResult.jwtToken,
        {
          domain: this._configService.config.cookieDomain,
-          expires: new Date(Date.now() + 900000),
+          expires: cookieExpiresAt,
          httpOnly: true,
          secure: true,
        },
@@ -139,7 +147,7 @@ export class AuthenticationController {
    name: 'Cookie',
    description: 'The JWT token is sent by the browser as a cookie (refer to the config to know which key is used)',
  })
-  @ApiImplicitHeader({ name: 'x-xsrf-token', description: 'Xsrf Token'})
+  @ApiImplicitHeader({ name: 'x-xsrf-token', description: 'Xsrf Token' })
  @ApiResponse({ status: 200, description: 'User is existing, returning its info', type: UserInfoWithoutPassword })
  @ApiResponse({ status: 400, description: 'Bad Request (Missing fields or already existing account)' })
  @ApiResponse({ status: 500, description: 'Internal error' })
@@ -147,7 +155,11 @@ export class AuthenticationController {
    Logger.log('[-] get user info endpoint');
    const tokenPayload: JWTTokenInfo = req.headers.token;
    try {
-      return await this._authService.getUserInfo(req.cookies[this._configService.config.accessTokenCookieKey], tokenPayload);
+      return await this._authService.getUserInfo(
+        req.cookies[this._configService.config.accessTokenCookieKey],
+        tokenPayload,
+        req.headers['x-xsrf-token'],
+      );
    } catch (error) {
      Logger.error(`[x] Error in controller: ${error}`);
      if (error instanceof HttpException) {

--- a/src/authentication/authentication.service.ts
+++ b/src/authentication/authentication.service.ts
@@ -105,12 +105,15 @@ export class AuthenticationService {
    }
  }

-  async updateUserInfo(token: string, form: UserUpdateForm): Promise<UserInfoUpdateResponse> {
+  async updateUserInfo(token: string, form: UserUpdateForm, xsrfToken: string): Promise<UserInfoUpdateResponse> {
    Logger.log('[-] User update info:');
    try {
      const body = await request.put({
        url: `${this.conf.legacyMiddlewareUrl}/user/update`,
-        headers: { Cookie: `${this.configService.config.accessTokenCookieKey}=${token}` },
+        headers: {
+          'Cookie': `${this.configService.config.accessTokenCookieKey}=${token}`,
+          'x-xsrf-token': xsrfToken,
+        },
        json: form,
      });
      Logger.log('    [*] Response body:', body);
@@ -223,12 +226,12 @@ export class AuthenticationService {
  //   }
  // }

-  async getUserInfo(token: string, info: JWTTokenInfo) {
+  async getUserInfo(token: string, info: JWTTokenInfo, xsrfToken: string) {
    if (info && info.identity_provider) {
      let res: UserInfoWithoutPassword;
      switch (info.identity_provider) {
        case 'legacy':
-          res = await this.getUserInfoLegacy(token);
+          res = await this.getUserInfoLegacy(token, xsrfToken);
          break;
        default:
          throw new BadRequestException('Unrecognised identity provider');
@@ -241,13 +244,14 @@ export class AuthenticationService {
    }
  }

-  private async getUserInfoLegacy(token: string): Promise<UserInfoWithoutPassword> {
+  private async getUserInfoLegacy(token: string, xsrfToken: string): Promise<UserInfoWithoutPassword> {
    // Set the cookie header with the JWT
    try {
      const body = await request.get({
        url: `${this.conf.legacyMiddlewareUrl}/user`,
        headers: {
-          Cookie: `${this.configService.config.accessTokenCookieKey}=${token}`,
+          'Cookie': `${this.configService.config.accessTokenCookieKey}=${token}`,
+          'x-xsrf-token': xsrfToken,
        },
      });
      Logger.log('    [*] Response body:', body);