allow validation with headers, enforce same site on login cookies

Author: Plopmenz

astro-app/src/pages/api/login.ts

@@ -1,4 +1,4 @@
-import type { APIRoute } from "astro";
+import type { APIRoute, AstroCookieSetOptions } from "astro";
 import { isHex } from "viem";
 import { corsHeaders } from "../../lib/cors";
 
@@ -22,9 +22,9 @@ export const POST: APIRoute = async ({ request, cookies }) => {
     const cookieOptions = {
       httpOnly: true,
       secure: true,
-      sameSite: "none",
+      sameSite: "strict",
       path: "/",
-    } as const;
+    } as AstroCookieSetOptions;
     cookies.set("xnode_auth_user", user, cookieOptions);
     if (user?.startsWith("eth:")) {
       const signature = body.signature;

astro-app/src/pages/api/validate.ts

@@ -27,14 +27,21 @@ export const GET: APIRoute = async ({ request, cookies }) => {
 
     const ip = request.headers.get("X-Forwarded-For");
 
-    let requestedUser = cookies.get("xnode_auth_user")?.value;
+    let requestedUser =
+      cookies.get("xnode_auth_user")?.value ??
+      request.headers.get("Xnode-Auth-User") ??
+      undefined;
     if (requestedUser?.startsWith("eth:")) {
-      const signature = cookies.get("xnode_auth_signature")?.value;
-      const timestamp = cookies.get("xnode_auth_timestamp")?.value;
-
+      const signature =
+        cookies.get("xnode_auth_signature")?.value ??
+        request.headers.get("Xnode-Auth-Signature");
       if (!isHex(signature)) {
         throw new Error(`Signature ${signature} is not valid hex.`);
       }
+
+      const timestamp =
+        cookies.get("xnode_auth_timestamp")?.value ??
+        request.headers.get("Xnode-Auth-Timestamp");
       if (!timestamp || isNaN(Number(timestamp))) {
         // add checks if timestamp in the future or too far in the past
         throw new Error(`Timestamp ${timestamp} is not a valid number.`);