futur.blue
objective categorical abstract machine language personal data server
Defensively add DPoP-Nonce to use_dpop_nonce response
+22
-1
+22
-1
pegasus/lib/xrpc.ml
+22
-1
pegasus/lib/xrpc.ml
···
98
98
99
99
let extract_nsid req = (Dream.path [@warning "-3"]) req |> List.rev |> List.hd
100
100
101
+
let add_dpop_nonce_if_needed res =
102
+
let nonce = Oauth.Dpop.next_nonce () in
103
+
Dream.set_header res "DPoP-Nonce" nonce ;
104
+
let expose_header = Dream.header res "Access-Control-Expose-Headers" in
105
+
Dream.add_header res "Access-Control-Expose-Headers"
106
+
( match expose_header with
107
+
| Some headers when not @@ Util.str_contains ~affix:"DPoP-Nonce" headers ->
108
+
headers ^ ", DPoP-Nonce"
109
+
| _ ->
110
+
"DPoP-Nonce" ) ;
111
+
res
112
+
101
113
let handler ?(auth : Auth.Verifiers.t = Any)
102
114
?(rate_limits : rate_limit_rule list = []) (hdlr : handler) (init : init) =
103
115
let open Errors in
···
117
129
with Rate_limiter.Rate_limit_exceeded status ->
118
130
rate_limit_response status )
119
131
| Error e ->
120
-
exn_to_response e
132
+
let%lwt res = exn_to_response e in
133
+
Lwt.return
134
+
( match e with
135
+
| UseDpopNonceError ->
136
+
add_dpop_nonce_if_needed res
137
+
| _ ->
138
+
res )
121
139
with
122
140
| Redirect r ->
123
141
Dream.redirect init.req r
124
142
| Rate_limiter.Rate_limit_exceeded status ->
125
143
rate_limit_response status
144
+
| UseDpopNonceError as e ->
145
+
let%lwt res = exn_to_response e in
146
+
Lwt.return (add_dpop_nonce_if_needed res)
126
147
| e ->
127
148
if not (is_xrpc_error e) then log_exn e ;
128
149
exn_to_response e