harden(logout): enforce POST+CSRF and remove GET logout triggers

This commit is contained in:
2026-04-25 23:35:03 +02:00
parent a24dc0c235
commit 3207d71244
6 changed files with 82 additions and 9 deletions

View File

@@ -21,6 +21,20 @@ const toPositiveInt = (value, fallback = 0) => {
const toTrimmed = (value) => String(value ?? '').trim();
const requestSubmitWithFallback = (form) => {
if (!(form instanceof HTMLFormElement)) {
return false;
}
if (typeof form.requestSubmit === 'function') {
form.requestSubmit();
return true;
}
form.submit();
return true;
};
const resolveConfig = (runtimeConfig = {}) => {
const root = document.documentElement;
const config = runtimeConfig && typeof runtimeConfig === 'object' && !Array.isArray(runtimeConfig)
@@ -34,7 +48,7 @@ const resolveConfig = (runtimeConfig = {}) => {
const idleSeconds = toPositiveInt(config.idleSeconds ?? root.dataset.sessionIdleSeconds, 0);
const pingUrl = toTrimmed(config.pingUrl ?? root.dataset.sessionPingUrl);
const logoutUrl = toTrimmed(config.logoutUrl ?? root.dataset.sessionLogoutUrl);
const logoutFormId = toTrimmed(config.logoutFormId ?? root.dataset.sessionLogoutFormId);
const csrfKey = toTrimmed(config.csrfKey ?? root.dataset.csrfKey);
const csrfToken = toTrimmed(config.csrfToken ?? root.dataset.csrfToken);
const selector = toTrimmed(config.selector || '[data-app-session-warning-dialog]') || '[data-app-session-warning-dialog]';
@@ -42,7 +56,7 @@ const resolveConfig = (runtimeConfig = {}) => {
if (idleSeconds < MIN_IDLE_TIMEOUT) {
return null;
}
if (!pingUrl || !logoutUrl || !csrfKey || !csrfToken) {
if (!pingUrl || !logoutFormId || !csrfKey || !csrfToken) {
warnOnce('UI_CONFIG_INVALID', 'Session warning config is incomplete', {
module: 'session-warning',
});
@@ -52,7 +66,7 @@ const resolveConfig = (runtimeConfig = {}) => {
return {
idleSeconds,
pingUrl,
logoutUrl,
logoutFormId,
csrfKey,
csrfToken,
selector,
@@ -230,7 +244,12 @@ export function initSessionWarning(root = document, runtimeConfig = {}) {
const doLogout = () => {
closeDialog();
window.location.href = config.logoutUrl;
const form = document.getElementById(config.logoutFormId);
if (!requestSubmitWithFallback(form)) {
warnOnce('UI_EL_MISSING', `Missing logout form: #${config.logoutFormId}`, {
module: 'session-warning',
});
}
};
const onUserInteraction = () => {