MCPcopy Index your code
hub / github.com/pixlcore/xyops / loadSession

Method loadSession

lib/api.js:576–648  ·  view source on GitHub ↗
(args, callback)

Source from the content-addressed store, hash-verified

574 }
575
576 loadSession(args, callback) {
577 // Load user session or validate API Key
578 var self = this;
579 var now = Tools.timeNow(true);
580 var session_id = args.cookies['session_id'] || args.request.headers['x-session-id'] || args.params.session_id;
581
582 if (session_id) {
583 this.storage.get('sessions/' + session_id, function(err, session) {
584 if (err) return callback(err, null, null);
585
586 // csrf check
587 var csrf_token = args.request.headers['x-csrf-token'] || args.params.csrf_token || null;
588 if (self.usermgr.config.get('use_csrf') && !args.request.method.match(/^(GET|HEAD)$/) && session.csrf_token && (csrf_token != session.csrf_token)) {
589 self.logError('user', "Failed to validate session: Invalid CSRF Token", { username: session.username, ips: args.ips });
590 return callback(new Error("Invalid session"), null, null);
591 }
592
593 // also load user
594 self.storage.get('users/' + self.usermgr.normalizeUsername(session.username), function(err, user) {
595 if (err) return callback(err, null, null);
596
597 // set type to discern this from API Key sessions
598 session.type = 'user';
599
600 // scrub session_id from common places, so it doesn't interfere with API calls and isn't logged
601 delete args.params.session_id;
602 delete args.cookies['session_id'];
603 delete args.request.headers['x-session-id'];
604 delete args.request.headers['cookie'];
605
606 // cleanup csrf token mess as well
607 delete args.params.csrf_token;
608 delete args.request.headers['x-csrf-token'];
609
610 // pass both session and user to callback
611 callback(null, session, user);
612 } );
613 } );
614 return;
615 }
616
617 // no session found, look for API Key
618 var plain_key = args.request.headers['x-api-key'] || args.params.api_key || args.query.api_key;
619 if (!plain_key) return callback( new Error("No Session ID or API Key could be found"), null, null );
620
621 this.api.logDebug(9, "Client provided API key: " + plain_key.substring(0, 4) + '****');
622
623 // find active key with matching salted hash
624 var api_key = this.api_keys.find( function(api_key) {
625 if (!api_key.active) return false;
626 if (api_key.expires && (now >= api_key.expires)) return false;
627 return ( Tools.digestHex(plain_key + api_key.id, 'sha256') === api_key.key );
628 } );
629
630 if (!api_key) return callback(new Error("Invalid API Key"), null, null);
631
632 this.api.logDebug(9, "Matched server API Key: " + api_key.title + " (" + api_key.id + ")" );
633

Callers 15

api_dash_statsMethod · 0.95
handleSSOMethod · 0.80
handleSocketMessageMethod · 0.80
api_master_commandMethod · 0.80
api_get_channelsMethod · 0.80
api_get_channelMethod · 0.80
api_create_channelMethod · 0.80
api_update_channelMethod · 0.80
api_delete_channelMethod · 0.80
api_get_active_jobsMethod · 0.80

Calls 2

logDebugMethod · 0.80
logErrorMethod · 0.45

Tested by

no test coverage detected