http only cookie

ppy-sb · Jul 12, 2023 · f5852ca · f5852ca
1 parent d15b8fa
commit f5852ca
Show file tree

Hide file tree

Showing 5 changed files with 11 additions and 32 deletions.
diff --git a/src/middleware/session.global.ts b/src/middleware/session.global.ts
@@ -1,11 +1,7 @@
 import { useSession } from '~/store/session'
 
 export default defineNuxtRouteMiddleware(async () => {
-  const sessionId = useCookie('session')
   const session = useSession()
-  if (!sessionId.value) {
-    return
-  }
   if (session.loggedIn) {
     return
   }

diff --git a/src/plugins/session.ts b/src/plugins/session.ts
@@ -1,10 +1,6 @@
 import { useSession } from '~/store/session'
 
 export default defineNuxtPlugin(async () => {
-  const sessionId = useCookie('session')
   const session = useSession()
-  if (!sessionId.value) {
-    return
-  }
   await session.retrieve()
 })
diff --git a/src/server/trpc/middleware/session.ts b/src/server/trpc/middleware/session.ts
@@ -71,11 +71,15 @@ function createSession(e: H3Event) {
   return r
 }
 
+const config = {
+  httpOnly: true,
+}
+
 export const sessionProcedure = publicProcedure
   .use(async ({ ctx, next }) => {
     if (!ctx.session.id) {
       const sessionId = await sessionProvider.create(createSession(ctx.h3Event))
-      setCookie(ctx.h3Event, 'session', sessionId)
+      setCookie(ctx.h3Event, 'session', sessionId, config)
       return await next({
         ctx: Object.assign(ctx, {
           session: {
@@ -87,7 +91,7 @@ export const sessionProcedure = publicProcedure
     const session = await sessionProvider.get(ctx.session.id)
     if (session == null) {
       const sessionId = await sessionProvider.create(createSession(ctx.h3Event))
-      setCookie(ctx.h3Event, 'session', sessionId)
+      setCookie(ctx.h3Event, 'session', sessionId, config)
       return await next({
         ctx: Object.assign(ctx, {
           session: {
@@ -105,7 +109,7 @@ export const sessionProcedure = publicProcedure
         })
       }
       if (refreshed !== ctx.session.id) {
-        setCookie(ctx.h3Event, 'session', refreshed)
+        setCookie(ctx.h3Event, 'session', refreshed, config)
       }
 
       return await next({

diff --git a/src/server/trpc/routers/session.ts b/src/server/trpc/routers/session.ts
@@ -48,7 +48,7 @@ export const router = _router({
         }
         const newSessionId = await sessionProvider.update(ctx.session.id, { userId: UserProvider.idToString(user.id) })
         if (newSessionId && newSessionId !== ctx.session.id) {
-          setCookie(ctx.h3Event, 'session', newSessionId)
+          setCookie(ctx.h3Event, 'session', newSessionId, { httpOnly: true })
         }
         return {
           user: mapId(user, UserProvider.idToString),
@@ -68,21 +68,8 @@ export const router = _router({
       }
     }),
   retrieve: pSession
-    .input(
-      z
-        .object({
-          sessionId: z.string().optional(),
-        })
-        .optional()
-    )
-    .query(async ({ ctx, input }) => {
-      let session
-      if (input?.sessionId) {
-        session = await sessionProvider.get(input.sessionId)
-      }
-      else {
-        session = await ctx.session.getBinding()
-      }
+    .query(async ({ ctx }) => {
+      const session = await ctx.session.getBinding()
 
       if (!session) {
         throw new TRPCError({
@@ -110,6 +97,7 @@ export const router = _router({
       }
     }),
   destroy: pSession.mutation(({ ctx }) => {
+    deleteCookie(ctx.h3Event, 'session')
     return sessionProvider.destroy(ctx.session.id)
   }),
 })
diff --git a/src/store/session.ts b/src/store/session.ts
@@ -52,11 +52,6 @@ export const useSession = defineStore('session', {
     async destroy() {
       const app$ = useNuxtApp()
       app$.$client.session.destroy.mutate()
-        .then(() => {
-          this.$reset()
-          const cookie = useCookie('session')
-          cookie.value = ''
-        })
     },
     async retrieve() {
       try {