Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
/*
2
In the interest of security and "XSS", we strip the "remember_me" cookie
3
from the header before passing anything along via the proxy.
4
The reason this is important is that it's critical that the project (and
5
nothing running in the project) can get access to a user's auth cookie.
6
I.e., malicious code running in a project shouldn't be able to steal
7
auth credentials for all users of a project!
8
*/
9

10
import {
11
  REMEMBER_ME_COOKIE_NAME,
12
  API_COOKIE_NAME,
13
} from "@cocalc/backend/auth/cookie-names";
14

15
export default function stripRememberMeCookie(cookie): {
16
  cookie: string;
17
  remember_me: string | undefined; // the value of the cookie we just stripped out.
18
  api_key: string | undefined;
19
} {
20
  if (cookie == null) {
21
    return { cookie, remember_me: undefined, api_key: undefined };
22
  } else {
23
    const v: string[] = [];
24
    let remember_me: string | undefined = undefined;
25
    let api_key: string | undefined = undefined;
26
    for (const c of cookie.split(";")) {
27
      const z = c.split("=");
28
      if (z[0].trim() == REMEMBER_ME_COOKIE_NAME) {
29
        // save it but do not include it in v, which will
30
        // be the new cookies values after going through
31
        // the proxy.
32
        remember_me = z[1].trim();
33
      } else if (z[0].trim() == API_COOKIE_NAME) {
34
        api_key = z[1].trim();
35
      } else {
36
        v.push(c);
37
      }
38
    }
39
    return { cookie: v.join(";"), remember_me, api_key };
40
  }
41
}
42

43