harden(logout): enforce POST+CSRF and remove GET logout triggers
This commit is contained in:
@@ -21,6 +21,20 @@ const toPositiveInt = (value, fallback = 0) => {
|
||||
|
||||
const toTrimmed = (value) => String(value ?? '').trim();
|
||||
|
||||
const requestSubmitWithFallback = (form) => {
|
||||
if (!(form instanceof HTMLFormElement)) {
|
||||
return false;
|
||||
}
|
||||
|
||||
if (typeof form.requestSubmit === 'function') {
|
||||
form.requestSubmit();
|
||||
return true;
|
||||
}
|
||||
|
||||
form.submit();
|
||||
return true;
|
||||
};
|
||||
|
||||
const resolveConfig = (runtimeConfig = {}) => {
|
||||
const root = document.documentElement;
|
||||
const config = runtimeConfig && typeof runtimeConfig === 'object' && !Array.isArray(runtimeConfig)
|
||||
@@ -34,7 +48,7 @@ const resolveConfig = (runtimeConfig = {}) => {
|
||||
|
||||
const idleSeconds = toPositiveInt(config.idleSeconds ?? root.dataset.sessionIdleSeconds, 0);
|
||||
const pingUrl = toTrimmed(config.pingUrl ?? root.dataset.sessionPingUrl);
|
||||
const logoutUrl = toTrimmed(config.logoutUrl ?? root.dataset.sessionLogoutUrl);
|
||||
const logoutFormId = toTrimmed(config.logoutFormId ?? root.dataset.sessionLogoutFormId);
|
||||
const csrfKey = toTrimmed(config.csrfKey ?? root.dataset.csrfKey);
|
||||
const csrfToken = toTrimmed(config.csrfToken ?? root.dataset.csrfToken);
|
||||
const selector = toTrimmed(config.selector || '[data-app-session-warning-dialog]') || '[data-app-session-warning-dialog]';
|
||||
@@ -42,7 +56,7 @@ const resolveConfig = (runtimeConfig = {}) => {
|
||||
if (idleSeconds < MIN_IDLE_TIMEOUT) {
|
||||
return null;
|
||||
}
|
||||
if (!pingUrl || !logoutUrl || !csrfKey || !csrfToken) {
|
||||
if (!pingUrl || !logoutFormId || !csrfKey || !csrfToken) {
|
||||
warnOnce('UI_CONFIG_INVALID', 'Session warning config is incomplete', {
|
||||
module: 'session-warning',
|
||||
});
|
||||
@@ -52,7 +66,7 @@ const resolveConfig = (runtimeConfig = {}) => {
|
||||
return {
|
||||
idleSeconds,
|
||||
pingUrl,
|
||||
logoutUrl,
|
||||
logoutFormId,
|
||||
csrfKey,
|
||||
csrfToken,
|
||||
selector,
|
||||
@@ -230,7 +244,12 @@ export function initSessionWarning(root = document, runtimeConfig = {}) {
|
||||
|
||||
const doLogout = () => {
|
||||
closeDialog();
|
||||
window.location.href = config.logoutUrl;
|
||||
const form = document.getElementById(config.logoutFormId);
|
||||
if (!requestSubmitWithFallback(form)) {
|
||||
warnOnce('UI_EL_MISSING', `Missing logout form: #${config.logoutFormId}`, {
|
||||
module: 'session-warning',
|
||||
});
|
||||
}
|
||||
};
|
||||
|
||||
const onUserInteraction = () => {
|
||||
|
||||
Reference in New Issue
Block a user