Fix tab session isolation by using stateless JWT and custom X-Authorization header
This commit is contained in:
@@ -90,14 +90,18 @@ function jwt_decode(string $jwt, string $secret): ?array {
|
|||||||
|
|
||||||
function getAuthorizationHeader(): string {
|
function getAuthorizationHeader(): string {
|
||||||
$headers = null;
|
$headers = null;
|
||||||
if (isset($_SERVER['Authorization'])) {
|
if (isset($_SERVER['HTTP_X_AUTHORIZATION'])) {
|
||||||
|
$headers = trim($_SERVER["HTTP_X_AUTHORIZATION"]);
|
||||||
|
} else if (isset($_SERVER['Authorization'])) {
|
||||||
$headers = trim($_SERVER["Authorization"]);
|
$headers = trim($_SERVER["Authorization"]);
|
||||||
} else if (isset($_SERVER['HTTP_AUTHORIZATION'])) {
|
} else if (isset($_SERVER['HTTP_AUTHORIZATION'])) {
|
||||||
$headers = trim($_SERVER["HTTP_AUTHORIZATION"]);
|
$headers = trim($_SERVER["HTTP_AUTHORIZATION"]);
|
||||||
} else if (function_exists('apache_request_headers')) {
|
} else if (function_exists('apache_request_headers')) {
|
||||||
$requestHeaders = apache_request_headers();
|
$requestHeaders = apache_request_headers();
|
||||||
$requestHeaders = array_change_key_case($requestHeaders, CASE_LOWER);
|
$requestHeaders = array_change_key_case($requestHeaders, CASE_LOWER);
|
||||||
if (isset($requestHeaders['authorization'])) {
|
if (isset($requestHeaders['x-authorization'])) {
|
||||||
|
$headers = trim($requestHeaders['x-authorization']);
|
||||||
|
} else if (isset($requestHeaders['authorization'])) {
|
||||||
$headers = trim($requestHeaders['authorization']);
|
$headers = trim($requestHeaders['authorization']);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@@ -117,7 +121,7 @@ function getCurrentUser(): ?array {
|
|||||||
return $payload;
|
return $payload;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
return $_SESSION['user'] ?? null;
|
return null;
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
|||||||
+15
-3
@@ -264,11 +264,23 @@
|
|||||||
const originalFetch = window.fetch;
|
const originalFetch = window.fetch;
|
||||||
window.fetch = function(url, options) {
|
window.fetch = function(url, options) {
|
||||||
options = options || {};
|
options = options || {};
|
||||||
options.headers = options.headers || {};
|
|
||||||
const token = sessionStorage.getItem('user_token');
|
const token = sessionStorage.getItem('user_token');
|
||||||
if (token) {
|
if (token) {
|
||||||
if (!options.headers['Authorization'] && !options.headers['authorization']) {
|
if (options.headers instanceof Headers) {
|
||||||
options.headers['Authorization'] = 'Bearer ' + token;
|
if (!options.headers.has('Authorization')) {
|
||||||
|
options.headers.set('Authorization', 'Bearer ' + token);
|
||||||
|
}
|
||||||
|
if (!options.headers.has('X-Authorization')) {
|
||||||
|
options.headers.set('X-Authorization', 'Bearer ' + token);
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
options.headers = options.headers || {};
|
||||||
|
if (!options.headers['Authorization'] && !options.headers['authorization']) {
|
||||||
|
options.headers['Authorization'] = 'Bearer ' + token;
|
||||||
|
}
|
||||||
|
if (!options.headers['X-Authorization'] && !options.headers['x-authorization']) {
|
||||||
|
options.headers['X-Authorization'] = 'Bearer ' + token;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
return originalFetch(url, options);
|
return originalFetch(url, options);
|
||||||
|
|||||||
Reference in New Issue
Block a user