mirror of
https://github.com/ether/etherpad-lite.git
synced 2026-07-18 17:13:58 +00:00
* feat: make cookie names configurable with prefix setting Add cookie.prefix setting (default "ep_") that gets prepended to all cookie names set by Etherpad. This prevents conflicts with other applications on the same domain that use generic cookie names like "sessionID" or "token". Affected cookies: token, sessionID, language, prefs/prefsHttp, express_sid. The prefix is passed to the client via clientVars.cookiePrefix in the bootstrap templates so it's available before the handshake. Server-side cookie reads fall back to unprefixed names for backward compatibility during migration. Fixes #664 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: default cookie prefix to empty string for backward compatibility Changing the default to "ep_" would invalidate all existing sessions on upgrade since express-session only looks for the configured cookie name. Default to "" (no prefix) so upgrades are non-breaking — users opt-in to prefixed names by setting cookie.prefix in settings.json. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: address Qodo review — cookie prefix migration and fallbacks - l10n.ts: Read prefixed language cookie with fallback to unprefixed - welcome.ts: Use cookiePrefix for token transfer reads - timeslider.ts: Use prefix for sessionID in socket messages - pad_cookie.ts: Fall back to unprefixed prefs cookie for migration - indexBootstrap.js: Pass cookiePrefix via clientVars to welcome page - specialpages.ts: Pass settings to indexBootstrap template Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: escape regex metacharacters in cookie prefix, document Vite hardcode - l10n.ts: Escape special regex characters in cookiePrefix before using it in RegExp constructor to prevent runtime errors - padViteBootstrap.js: Add comment noting the hardcoded prefix is dev-only and must match settings.json Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * security: validate cookie prefix to prevent header injection Reject cookie.prefix values containing characters outside [a-zA-Z0-9_-] to prevent HTTP header injection via crafted cookie names (e.g., \r\n sequences). Falls back to empty prefix with an error log. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
47 lines
1.4 KiB
TypeScript
47 lines
1.4 KiB
TypeScript
import {ArgsExpressType} from "../../types/ArgsExpressType";
|
|
const db = require('../../db/DB');
|
|
import crypto from 'crypto'
|
|
import settings from '../../utils/Settings';
|
|
|
|
|
|
type TokenTransferRequest = {
|
|
token: string;
|
|
prefsHttp: string,
|
|
createdAt?: number;
|
|
}
|
|
|
|
const tokenTransferKey = "tokenTransfer:";
|
|
|
|
export const expressCreateServer = (hookName:string, {app}:ArgsExpressType) => {
|
|
app.post('/tokenTransfer', async (req, res) => {
|
|
const token = req.body as TokenTransferRequest;
|
|
if (!token || !token.token) {
|
|
return res.status(400).send({error: 'Invalid request'});
|
|
}
|
|
|
|
const id = crypto.randomUUID()
|
|
token.createdAt = Date.now();
|
|
|
|
await db.set(`${tokenTransferKey}:${id}`, token)
|
|
res.send({id});
|
|
})
|
|
|
|
app.get('/tokenTransfer/:token', async (req, res) => {
|
|
const id = req.params.token;
|
|
if (!id) {
|
|
return res.status(400).send({error: 'Invalid request'});
|
|
}
|
|
|
|
const tokenData = await db.get(`${tokenTransferKey}:${id}`);
|
|
if (!tokenData) {
|
|
return res.status(404).send({error: 'Token not found'});
|
|
}
|
|
|
|
const token = await db.get(`${tokenTransferKey}:${id}`)
|
|
|
|
const p = settings.cookie.prefix;
|
|
res.cookie(`${p}token`, tokenData.token, {path: '/', maxAge: 1000*60*60*24*365});
|
|
res.cookie(`${p}prefsHttp`, tokenData.prefsHttp, {path: '/', maxAge: 1000*60*60*24*365});
|
|
res.send(token);
|
|
})
|
|
}
|