fix(security): replace RSS feed URL tokens with encrypted token (M5)

author: Fuwn <[email protected]> 2026-06-02 12:59:04 +0000
committer: Fuwn <[email protected]> 2026-06-02 12:59:04 +0000
commit: 76d710493e2496490f9e2f9894cf581757f4d92e (patch)
tree: dd7b196588d26dd1134322c526ec43eb9721de61 /src/routes/settings/+page.server.ts
parent: feat(security): add AES-GCM feed-token helper (M5) (diff)
download: due.moe-76d710493e2496490f9e2f9894cf581757f4d92e.tar.xz
due.moe-76d710493e2496490f9e2f9894cf581757f4d92e.zip
1 files changed, 14 insertions, 0 deletions
diff --git a/src/routes/settings/+page.server.ts b/src/routes/settings/+page.server.ts
new file mode 100644
index 00000000..321e5cfd
--- /dev/null
+++ b/src/routes/settings/+page.server.ts
@@ -0,0 +1,14 @@
+import { decodeAuthCookieOrNull } from "$lib/Effect/authCookie";
+import { encryptFeedToken } from "$lib/Utility/feedToken";
+
+// Mint the RSS feed token server-side: the encryption key never reaches the
+// client, so the URL is built here from the refresh token already in the cookie
+// rather than from tokens handed to the browser.
+export const load = async ({ cookies }) => {
+	const cookie = cookies.get("user");
+	const user = cookie ? decodeAuthCookieOrNull(cookie) : null;
+
+	return {
+		feedToken: user ? await encryptFeedToken(user.refreshToken) : undefined,
+	};
+};
author	Fuwn <[email protected]>	2026-06-02 12:59:04 +0000
committer	Fuwn <[email protected]>	2026-06-02 12:59:04 +0000
commit	76d710493e2496490f9e2f9894cf581757f4d92e (patch)
tree	dd7b196588d26dd1134322c526ec43eb9721de61 /src/routes/settings/+page.server.ts
parent	feat(security): add AES-GCM feed-token helper (M5) (diff)
download	due.moe-76d710493e2496490f9e2f9894cf581757f4d92e.tar.xz due.moe-76d710493e2496490f9e2f9894cf581757f4d92e.zip