SecurityManager: Restrict valid author token values

src/static/js/pad_utils.js

@@ -88,6 +88,9 @@ const urlRegex = (() => {
       `(?:${withAuth}|${withoutAuth}|www\\.)${urlChar}*(?!${postUrlPunct})${urlChar}`, 'g');
 })();
 
+// https://stackoverflow.com/a/68957976
+const base64url = /^(?=(?:.{4})*$)[A-Za-z0-9_-]*(?:[AQgw]==|[AEIMQUYcgkosw048]=)?$/;
+
 const padutils = {
   /**
    * Prints a warning message followed by a stack trace (to make it easier to figure out what code
@@ -328,6 +331,21 @@ const padutils = {
     }
   }),
 
+  /**
+   * Returns whether a string has the expected format to be used as a secret token identifying an
+   * author. The format is defined as: 't.' followed by a non-empty base64url string (RFC 4648
+   * section 5 with padding).
+   *
+   * Being strict about what constitutes a valid token enables unambiguous extensibility (e.g.,
+   * conditional transformation of a token to a database key in a way that does not allow a
+   * malicious user to impersonate another user).
+   */
+  isValidAuthorToken: (t) => {
+    if (typeof t !== 'string' || !t.startsWith('t.')) return false;
+    const v = t.slice(2);
+    return v.length > 0 && base64url.test(v);
+  },
+
   /**
    * Returns a string that can be used in the `token` cookie as a secret that authenticates a
    * particular author.