elpatron/kapteins-daagbok
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Activity

feat(security): Session-Cookies statt X-User-Id und API-Härtung

Browse Source 
Ersetzt die spoofbare X-User-Id-Auth durch signierte HttpOnly-Sessions nach
WebAuthn, erzwingt WRITE-only Sync, speichert den Master-Key nur im RAM und
ergänzt CORS, Rate-Limits, Helmet sowie Passkey-Reauth für sensible Aktionen.

Co-authored-by: Cursor <cursoragent@cursor.com>
This commit is contained in:
elpatron
2026-05-30 13:47:24 +02:00
parent 4f3f530f1f
commit dea33e3f00
33 changed files with 657 additions and 397 deletions
Download Patch File Download Diff File Expand all files Collapse all files
server/src/middleware/auth.ts
+33
View File
@@ -0,0 +1,33 @@
import type { Request, Response, NextFunction } from 'express'
import { hasValidReauth, readSessionFromRequest } from '../session.js'
export interface AuthedRequest extends Request {
userId: string
session: NonNullable<ReturnType<typeof readSessionFromRequest>>
}
export function requireUser(req: Request, res: Response, next: NextFunction): void {
const session = readSessionFromRequest(req)
if (!session) {
res.status(401).json({ error: 'Unauthorized: valid session required' })
return
}
;(req as AuthedRequest).userId = session.userId
;(req as AuthedRequest).session = session
next()
}
export function requireReauth(req: Request, res: Response, next: NextFunction): void {
const session = readSessionFromRequest(req)
if (!session) {
res.status(401).json({ error: 'Unauthorized: valid session required' })
return
}
if (!hasValidReauth(session)) {
res.status(403).json({ error: 'Recent passkey confirmation required' })
return
}
;(req as AuthedRequest).userId = session.userId
;(req as AuthedRequest).session = session
next()
}