MCPcopy Index your code
hub / github.com/nodeSolidServer/node-solid-server / initWebId

Function initWebId

lib/create-app.mjs:245–312  ·  view source on GitHub ↗

* Sets up WebID-related functionality (account creation and authentication) * * @param argv {Object} * @param app {Function} * @param ldp {LDP}

(argv, app, ldp)

Source from the content-addressed store, hash-verified

243 * @param ldp {LDP}
244 */
245function initWebId (argv, app, ldp) {
246 config.ensureWelcomePage(argv)
247
248 // Store the user's session key in a cookie
249 // (for same-domain browsing by people only)
250 const useSecureCookies = !!argv.sslKey // use secure cookies when over HTTPS
251 const sessionHandler = session(sessionSettings(useSecureCookies, argv.host))
252 app.use(sessionHandler)
253 // Reject cookies from third-party applications.
254 // Otherwise, when a user is logged in to their Solid server,
255 // any third-party application could perform authenticated requests
256 // without permission by including the credentials set by the Solid server.
257 app.use((req, res, next) => {
258 const origin = req.get('origin')
259 const trustedOrigins = ldp.getTrustedOrigins(req)
260 const userId = req.session.userId
261 // Exception: allow logout requests from all third-party apps
262 // such that OIDC client can log out via cookie auth
263 // TODO: remove this exception when OIDC clients
264 // use Bearer token to authenticate instead of cookie
265 // (https://github.com/solid/node-solid-server/pull/835#issuecomment-426429003)
266 //
267 // Authentication cookies are an optimization:
268 // instead of going through the process of
269 // fully validating authentication on every request,
270 // we go through this process once,
271 // and store its successful result in a cookie
272 // that will be reused upon the next request.
273 // However, that cookie can then be sent by any server,
274 // even servers that have not gone through the proper authentication mechanism.
275 // However, if trusted origins are enabled,
276 // then any origin is allowed to take the shortcut route,
277 // since malicious origins will be banned at the ACL checking phase.
278 // https://github.com/solid/node-solid-server/issues/1117
279 if (!argv.strictOrigin && !argv.host.allowsSessionFor(userId, origin, trustedOrigins) && !isLogoutRequest(req)) {
280 debug.authentication(`Rejecting session for ${userId} from ${origin}`)
281 // Destroy session data
282 delete req.session.userId
283 // Ensure this modified session is not saved
284 req.session.save = (done) => done()
285 }
286 if (isLogoutRequest(req)) {
287 delete req.session.userId
288 }
289 next()
290 })
291
292 const accountManager = AccountManager.from({
293 authMethod: argv.auth,
294 emailService: app.locals.emailService,
295 tokenService: app.locals.tokenService,
296 host: argv.host,
297 accountTemplatePath: argv.templates.account,
298 store: ldp,
299 multiuser: argv.multiuser
300 })
301 app.locals.accountManager = accountManager
302

Callers 1

createAppFunction · 0.85

Calls 8

sessionSettingsFunction · 0.85
isLogoutRequestFunction · 0.85
initAuthenticationFunction · 0.85
LdpMiddlewareFunction · 0.85
getTrustedOriginsMethod · 0.80
allowsSessionForMethod · 0.80
getMethod · 0.45
fromMethod · 0.45

Tested by

no test coverage detected