larvit/plainpages
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Secure cookie flags + CSRF for our own POST forms (todo §4); SECURE_COOKIES toggle on session/CSRF cookies; csrf.ts signed double-submit token + body.ts form reader; logout is now a CSRF-guarded POST form

Browse Source
This commit is contained in:
Lilleman auf Larv
2026-06-18 11:12:32 +02:00
parent dec55f85a6
commit 4b2173cb84
21 changed files with 241 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
src/body.ts Normal file
View File

@@ -0,0 +1,19 @@
// Read an application/x-www-form-urlencoded request body (todo §4). Our own POST forms are
// tiny, so cap the size and reject anything larger rather than buffer unbounded. Consumes the
// stream once; never throws on an empty body. The CSRF gate + §5 admin forms read fields here.
import type { IncomingMessage } from "node:http";
const DEFAULT_LIMIT = 1024 * 1024; // 1 MiB
export async function readFormBody(req: IncomingMessage, options: { limit?: number } = {}): Promise<URLSearchParams> {
const limit = options.limit ?? DEFAULT_LIMIT;
const chunks: Buffer[] = [];
let size = 0;
for await (const chunk of req) {
const buf = chunk as Buffer;
size += buf.length;
if (size > limit) throw new Error("request body exceeds limit");
chunks.push(buf);
}
return new URLSearchParams(Buffer.concat(chunks).toString("utf8"));
}