innohub/tatort
7
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

hide PIN during Anmeldung and within route guards

Browse Source
This commit is contained in:
Chi Cong Tran
2025-10-01 09:54:21 +02:00
parent e288d768bf
commit 45bcce0fb2
2 changed files with 17 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
src/routes/(token-based)/+layout.server.ts
View File

@@ -1,12 +1,9 @@
import { import { vorgangPINValidation, vorgangExists } from '$lib/server/vorgangService';
vorgangPINValidation,
vorgangExists
} from '$lib/server/vorgangService';
import { redirect } from '@sveltejs/kit'; import { redirect } from '@sveltejs/kit';
import type { PageServerLoad } from './list/[vorgang]/$types'; import type { PageServerLoad } from './list/[vorgang]/$types';
import { ROUTE_NAMES } from '..'; import { ROUTE_NAMES } from '..';
export const load: PageServerLoad = async ({ params, url, locals }) => { export const load: PageServerLoad = async ({ params, cookies, locals }) => {
if (locals.user) { if (locals.user) {
return { return {
user: locals.user user: locals.user
@@ -14,10 +11,12 @@ export const load: PageServerLoad = async ({ params, url, locals }) => {
} }
const vorgangToken = params.vorgang; const vorgangToken = params.vorgang;
const vorgangPIN = url.searchParams.get('pin'); const COOKIE_NAME = `token-${vorgangToken}`;
const vorgangPIN = cookies.get(COOKIE_NAME);
const isVorgangValid = vorgangExists(vorgangToken); const isVorgangValid = vorgangExists(vorgangToken);
const isVorgangPINValid = vorgangPINValidation(vorgangToken, vorgangPIN); const isVorgangPINValid = vorgangPINValidation(vorgangToken, vorgangPIN);
if (!isVorgangValid || !isVorgangPINValid) throw redirect(303, ROUTE_NAMES.ANMELDUNG_VORGANG_PARAM(vorgangToken)); if (!isVorgangValid || !isVorgangPINValid)
throw redirect(303, ROUTE_NAMES.ANMELDUNG_VORGANG_PARAM(vorgangToken));
}; };

13
src/routes/anmeldung/+page.server.ts
View File

@@ -1,3 +1,4 @@
import { dev } from '$app/environment';
import { loginUser, logoutUser } from '$lib/server/authService'; import { loginUser, logoutUser } from '$lib/server/authService';
import { redirect } from '@sveltejs/kit'; import { redirect } from '@sveltejs/kit';
import { ROUTE_NAMES } from '../index.js'; import { ROUTE_NAMES } from '../index.js';
@@ -5,13 +6,21 @@ import { ROUTE_NAMES } from '../index.js';
export const actions = { export const actions = {
login: ({ request, cookies }) => loginUser({ request, cookies }), login: ({ request, cookies }) => loginUser({ request, cookies }),
logout: (event) => logoutUser(event), logout: (event) => logoutUser(event),
getVorgangByToken: async ({ request }) => { getVorgangByToken: async ({ request, cookies }) => {
const data = await request.formData(); const data = await request.formData();
const vorgangToken = data.get('vorgang-token'); const vorgangToken = data.get('vorgang-token');
const vorgangPIN = data.get('vorgang-pin'); const vorgangPIN = data.get('vorgang-pin');
if (!vorgangToken || !vorgangPIN) return; if (!vorgangToken || !vorgangPIN) return;
throw redirect(303, ROUTE_NAMES.VORGANG(vorgangToken, vorgangPIN)); const COOKIE_NAME = `token-${vorgangToken}`
cookies.set(COOKIE_NAME, vorgangPIN, {
path: '/',
httpOnly: true,
sameSite: 'strict',
secure: !dev
});
throw redirect(303, ROUTE_NAMES.VORGANG(vorgangToken));
} }
} as const; } as const;