innohub/tatort
7
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

hide PIN during Anmeldung and within route guards

Browse Source
This commit is contained in:
Chi Cong Tran
2025-10-01 09:54:21 +02:00
parent e288d768bf
commit 45bcce0fb2
2 changed files with 17 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
src/routes/(token-based)/+layout.server.ts
View File

@@ -1,12 +1,9 @@
import {
vorgangPINValidation,
vorgangExists
} from '$lib/server/vorgangService';
import { vorgangPINValidation, vorgangExists } from '$lib/server/vorgangService';
import { redirect } from '@sveltejs/kit';
import type { PageServerLoad } from './list/[vorgang]/$types';
import { ROUTE_NAMES } from '..';
export const load: PageServerLoad = async ({ params, url, locals }) => {
export const load: PageServerLoad = async ({ params, cookies, locals }) => {
if (locals.user) {
return {
user: locals.user
@@ -14,10 +11,12 @@ export const load: PageServerLoad = async ({ params, url, locals }) => {
}
const vorgangToken = params.vorgang;
const vorgangPIN = url.searchParams.get('pin');
const COOKIE_NAME = `token-${vorgangToken}`;
const vorgangPIN = cookies.get(COOKIE_NAME);
const isVorgangValid = vorgangExists(vorgangToken);
const isVorgangPINValid = vorgangPINValidation(vorgangToken, vorgangPIN);
if (!isVorgangValid || !isVorgangPINValid) throw redirect(303, ROUTE_NAMES.ANMELDUNG_VORGANG_PARAM(vorgangToken));
if (!isVorgangValid || !isVorgangPINValid)
throw redirect(303, ROUTE_NAMES.ANMELDUNG_VORGANG_PARAM(vorgangToken));
};

13
src/routes/anmeldung/+page.server.ts
View File

@@ -1,3 +1,4 @@
import { dev } from '$app/environment';
import { loginUser, logoutUser } from '$lib/server/authService';
import { redirect } from '@sveltejs/kit';
import { ROUTE_NAMES } from '../index.js';
@@ -5,13 +6,21 @@ import { ROUTE_NAMES } from '../index.js';
export const actions = {
login: ({ request, cookies }) => loginUser({ request, cookies }),
logout: (event) => logoutUser(event),
getVorgangByToken: async ({ request }) => {
getVorgangByToken: async ({ request, cookies }) => {
const data = await request.formData();
const vorgangToken = data.get('vorgang-token');
const vorgangPIN = data.get('vorgang-pin');
if (!vorgangToken || !vorgangPIN) return;
throw redirect(303, ROUTE_NAMES.VORGANG(vorgangToken, vorgangPIN));
const COOKIE_NAME = `token-${vorgangToken}`
cookies.set(COOKIE_NAME, vorgangPIN, {
path: '/',
httpOnly: true,
sameSite: 'strict',
secure: !dev
});
throw redirect(303, ROUTE_NAMES.VORGANG(vorgangToken));
}
} as const;