* Stores the client's choice of login callback method in temporary cookies. * * The `authMethod` parameter specifies the authentication strategy and can have the following values: * - 'local': Standard authentication, * - 'api': Authentication for API use * - 'openid': OpenID authenti
(req, res, authMethod = 'local')
| 216 | * @returns {Object|null} - Returns error object if validation fails, null if successful |
| 217 | */ |
| 218 | paramsToCookies(req, res, authMethod = 'local') { |
| 219 | const TWO_MINUTES = 120000 // 2 minutes in milliseconds |
| 220 | const callback = req.query.redirect_uri || req.query.callback |
| 221 | |
| 222 | // Additional handling for non-API based authMethod |
| 223 | if (!this.isAuthMethodAPIBased(authMethod)) { |
| 224 | // Store 'auth_state' if present in the request |
| 225 | if (req.query.state) { |
| 226 | res.cookie('auth_state', req.query.state, { maxAge: TWO_MINUTES, httpOnly: true }) |
| 227 | } |
| 228 | |
| 229 | // Validate and store the callback URL |
| 230 | if (!callback) { |
| 231 | res.status(400).send({ message: 'No callback parameter' }) |
| 232 | return { error: 'No callback parameter' } |
| 233 | } |
| 234 | |
| 235 | // Security: Validate callback URL is same-origin only |
| 236 | if (!this.oidcAuthStrategy.isValidWebCallbackUrl(callback, req)) { |
| 237 | Logger.warn(`[Auth] Rejected invalid callback URL: ${callback}`) |
| 238 | res.status(400).send({ message: 'Invalid callback URL - must be same-origin' }) |
| 239 | return { error: 'Invalid callback URL - must be same-origin' } |
| 240 | } |
| 241 | |
| 242 | res.cookie('auth_cb', callback, { maxAge: TWO_MINUTES, httpOnly: true }) |
| 243 | } |
| 244 | |
| 245 | // Store the authentication method for long |
| 246 | Logger.debug(`[Auth] paramsToCookies: setting auth_method cookie to ${authMethod}`) |
| 247 | res.cookie('auth_method', authMethod, { maxAge: 1000 * 60 * 60 * 24 * 365 * 10, httpOnly: true }) |
| 248 | return null |
| 249 | } |
| 250 | |
| 251 | /** |
| 252 | * Informs the client in the right mode about a successfull login and the token |
no test coverage detected