mirror of
https://github.com/vector-im/hydrogen-web.git
synced 2025-01-22 02:01:38 +01:00
Only send token after verifying the homeserver
This commit is contained in:
parent
d3e3d5a2c8
commit
f7a6a266da
@ -290,8 +290,11 @@ export class Client {
|
||||
serverVersions: lastVersionsResponse.versions,
|
||||
});
|
||||
|
||||
// Let the serviceWorkerHandler know of this access-token
|
||||
this._platform.updateService.setAccessToken(sessionInfo.accessToken);
|
||||
// Let the serviceWorkerHandler know of this access-token and homeserver
|
||||
this._platform.updateService.updateAuthData({
|
||||
accessToken: sessionInfo.accessToken,
|
||||
homeserver: sessionInfo.homeServer,
|
||||
});
|
||||
|
||||
this._session = new Session({
|
||||
storage: this._storage,
|
||||
@ -382,7 +385,9 @@ export class Client {
|
||||
throw Error("No session loaded, cannot update access token");
|
||||
}
|
||||
this._session.updateAccessToken(token);
|
||||
await this._platform.updateService.setAccessToken(token);
|
||||
this._platform.updateService.updateAuthData({
|
||||
accessToken: token,
|
||||
});
|
||||
await this._platform.sessionInfoStorage.updateAccessToken(this._sessionId, token);
|
||||
}
|
||||
|
||||
|
@ -28,7 +28,7 @@ export class ServiceWorkerHandler {
|
||||
this._currentController = null;
|
||||
this._sessionInfoStorage = sessionInfoStorage;
|
||||
this.haltRequests = false;
|
||||
this._accessToken = null;
|
||||
this._authData = {};
|
||||
}
|
||||
|
||||
setNavigation(navigation) {
|
||||
@ -36,11 +36,16 @@ export class ServiceWorkerHandler {
|
||||
}
|
||||
|
||||
/**
|
||||
* Set the access-token to be used within the service worker.
|
||||
* @param token An access-token
|
||||
* Set the access-token and homeserver to be used within the service worker.
|
||||
* @param auth An object with accessToken and homeserver
|
||||
*/
|
||||
setAccessToken(token) {
|
||||
this._accessToken = token;
|
||||
updateAuthData(auth) {
|
||||
if (!auth.accessToken && !auth.homeserver) {
|
||||
throw new Error(
|
||||
"updateAuthData argument must contain accessToken, homeserver or both!"
|
||||
);
|
||||
}
|
||||
this._authData = { ...this._authData, ...auth };
|
||||
}
|
||||
|
||||
registerAndStart(path) {
|
||||
@ -96,10 +101,10 @@ export class ServiceWorkerHandler {
|
||||
event.source.postMessage({ replyTo: data.id });
|
||||
} else if (data.type === "openRoom") {
|
||||
this._navigation.push("room", data.payload.roomId);
|
||||
} else if (data.type === "getAccessToken") {
|
||||
} else if (data.type === "getAuthInfo") {
|
||||
event.source.postMessage({
|
||||
replyTo: data.id,
|
||||
payload: this._accessToken,
|
||||
payload: this._authData,
|
||||
});
|
||||
}
|
||||
}
|
||||
|
@ -124,25 +124,39 @@ async function handleRequest({ request, clientId }) {
|
||||
}
|
||||
|
||||
// Add access token for authenticated media endpoints
|
||||
if (request.url.includes("_matrix/client/v1/media")) {
|
||||
const headers = new Headers(request.headers);
|
||||
const pathNameStartsWithMediaPrefix =
|
||||
url.pathname.indexOf("/_matrix/client/v1/media") === 0;
|
||||
if (pathNameStartsWithMediaPrefix) {
|
||||
const client = await self.clients.get(clientId);
|
||||
const accessToken = await sendAndWaitForReply(
|
||||
const { accessToken, homeserver } = await sendAndWaitForReply(
|
||||
client,
|
||||
"getAccessToken",
|
||||
"getAuthInfo",
|
||||
{}
|
||||
);
|
||||
if (!accessToken) {
|
||||
throw new Error(
|
||||
"Token returned from getAccessToken message in sw.js is null"
|
||||
"Token returned from getAuthInfo message in sw.js is null!"
|
||||
);
|
||||
}
|
||||
headers.set("authorization", `Bearer ${accessToken}`);
|
||||
request = new Request(request, {
|
||||
mode: "cors",
|
||||
credentials: "omit",
|
||||
headers,
|
||||
});
|
||||
if (!homeserver) {
|
||||
throw new Error(
|
||||
"homeserver returned from getAuthInfo message in sw.js is null!"
|
||||
);
|
||||
}
|
||||
// Is this request actually going to the homeserver?
|
||||
const isRequestForHomeserver =
|
||||
new URL(homeserver).origin === url.origin;
|
||||
if (isRequestForHomeserver) {
|
||||
// Only add the access-token if we know that this request
|
||||
// is going to the homeserver.
|
||||
const headers = new Headers(request.headers);
|
||||
headers.set("authorization", `Bearer ${accessToken}`);
|
||||
request = new Request(request, {
|
||||
mode: "cors",
|
||||
credentials: "omit",
|
||||
headers,
|
||||
});
|
||||
}
|
||||
}
|
||||
|
||||
let response = await readCache(request);
|
||||
|
Loading…
x
Reference in New Issue
Block a user