95 lines
2.2 KiB
TypeScript
95 lines
2.2 KiB
TypeScript
import type { H3Event } from 'h3'
|
|
import { getCookie, setCookie, deleteCookie, getHeader } from 'h3'
|
|
|
|
const SESSION_COOKIE_NAME = 'routebox_session'
|
|
const SESSION_MAX_AGE = 60 * 60 * 24 * 7 // 7 days
|
|
|
|
export interface SessionData {
|
|
token: string
|
|
tenantId: string
|
|
userId: string
|
|
email: string
|
|
}
|
|
|
|
/**
|
|
* Determine if the request is over a secure connection
|
|
* Checks both direct HTTPS and proxy headers
|
|
*/
|
|
function isSecureRequest(event: H3Event): boolean {
|
|
// Check x-forwarded-proto header (set by reverse proxies)
|
|
const forwardedProto = getHeader(event, 'x-forwarded-proto')
|
|
if (forwardedProto === 'https') {
|
|
return true
|
|
}
|
|
|
|
// Check if NODE_ENV is production (assume HTTPS in production)
|
|
if (process.env.NODE_ENV === 'production') {
|
|
return true
|
|
}
|
|
|
|
return false
|
|
}
|
|
|
|
/**
|
|
* Get the session token from HTTP-only cookie
|
|
*/
|
|
export function getSessionToken(event: H3Event): string | null {
|
|
return getCookie(event, SESSION_COOKIE_NAME) || null
|
|
}
|
|
|
|
/**
|
|
* Set the session token in an HTTP-only cookie
|
|
*/
|
|
export function setSessionCookie(event: H3Event, token: string): void {
|
|
const secure = isSecureRequest(event)
|
|
|
|
setCookie(event, SESSION_COOKIE_NAME, token, {
|
|
httpOnly: true,
|
|
secure,
|
|
sameSite: 'lax',
|
|
maxAge: SESSION_MAX_AGE,
|
|
path: '/',
|
|
})
|
|
}
|
|
|
|
/**
|
|
* Clear the session cookie
|
|
*/
|
|
export function clearSessionCookie(event: H3Event): void {
|
|
deleteCookie(event, SESSION_COOKIE_NAME, {
|
|
path: '/',
|
|
})
|
|
}
|
|
|
|
/**
|
|
* Get tenant ID from a separate cookie (for SSR access)
|
|
* This is NOT the auth token - just tenant context
|
|
*/
|
|
export function getTenantIdFromCookie(event: H3Event): string | null {
|
|
return getCookie(event, 'routebox_tenant') || null
|
|
}
|
|
|
|
/**
|
|
* Set tenant ID cookie (readable by client for context)
|
|
*/
|
|
export function setTenantIdCookie(event: H3Event, tenantId: string): void {
|
|
const secure = isSecureRequest(event)
|
|
|
|
setCookie(event, 'routebox_tenant', tenantId, {
|
|
httpOnly: false, // Allow client to read tenant context
|
|
secure,
|
|
sameSite: 'lax',
|
|
maxAge: SESSION_MAX_AGE,
|
|
path: '/',
|
|
})
|
|
}
|
|
|
|
/**
|
|
* Clear tenant ID cookie
|
|
*/
|
|
export function clearTenantIdCookie(event: H3Event): void {
|
|
deleteCookie(event, 'routebox_tenant', {
|
|
path: '/',
|
|
})
|
|
}
|