Fix tab session isolation by using stateless JWT and custom X-Authorization header

This commit is contained in:
cygouw
2026-06-12 16:21:16 +07:00
parent f379de42e0
commit 559aa928bc
2 changed files with 22 additions and 6 deletions
+7 -3
View File
@@ -90,14 +90,18 @@ function jwt_decode(string $jwt, string $secret): ?array {
function getAuthorizationHeader(): string { function getAuthorizationHeader(): string {
$headers = null; $headers = null;
if (isset($_SERVER['Authorization'])) { if (isset($_SERVER['HTTP_X_AUTHORIZATION'])) {
$headers = trim($_SERVER["HTTP_X_AUTHORIZATION"]);
} else if (isset($_SERVER['Authorization'])) {
$headers = trim($_SERVER["Authorization"]); $headers = trim($_SERVER["Authorization"]);
} else if (isset($_SERVER['HTTP_AUTHORIZATION'])) { } else if (isset($_SERVER['HTTP_AUTHORIZATION'])) {
$headers = trim($_SERVER["HTTP_AUTHORIZATION"]); $headers = trim($_SERVER["HTTP_AUTHORIZATION"]);
} else if (function_exists('apache_request_headers')) { } else if (function_exists('apache_request_headers')) {
$requestHeaders = apache_request_headers(); $requestHeaders = apache_request_headers();
$requestHeaders = array_change_key_case($requestHeaders, CASE_LOWER); $requestHeaders = array_change_key_case($requestHeaders, CASE_LOWER);
if (isset($requestHeaders['authorization'])) { if (isset($requestHeaders['x-authorization'])) {
$headers = trim($requestHeaders['x-authorization']);
} else if (isset($requestHeaders['authorization'])) {
$headers = trim($requestHeaders['authorization']); $headers = trim($requestHeaders['authorization']);
} }
} }
@@ -117,7 +121,7 @@ function getCurrentUser(): ?array {
return $payload; return $payload;
} }
} }
return $_SESSION['user'] ?? null; return null;
} }
/** /**
+15 -3
View File
@@ -264,11 +264,23 @@
const originalFetch = window.fetch; const originalFetch = window.fetch;
window.fetch = function(url, options) { window.fetch = function(url, options) {
options = options || {}; options = options || {};
options.headers = options.headers || {};
const token = sessionStorage.getItem('user_token'); const token = sessionStorage.getItem('user_token');
if (token) { if (token) {
if (!options.headers['Authorization'] && !options.headers['authorization']) { if (options.headers instanceof Headers) {
options.headers['Authorization'] = 'Bearer ' + token; if (!options.headers.has('Authorization')) {
options.headers.set('Authorization', 'Bearer ' + token);
}
if (!options.headers.has('X-Authorization')) {
options.headers.set('X-Authorization', 'Bearer ' + token);
}
} else {
options.headers = options.headers || {};
if (!options.headers['Authorization'] && !options.headers['authorization']) {
options.headers['Authorization'] = 'Bearer ' + token;
}
if (!options.headers['X-Authorization'] && !options.headers['x-authorization']) {
options.headers['X-Authorization'] = 'Bearer ' + token;
}
} }
} }
return originalFetch(url, options); return originalFetch(url, options);