fix session token/cookie handling for arbitrary server IPs; fix realtime update distribution via websockets

2018-05-01 17:04:08 +02:00 · 2018-05-01 17:04:08 +02:00 · c19f00b316
commit c19f00b316
parent f752ec4219
10 changed files with 34 additions and 16012 deletions
--- a/middlewares/session.js
+++ b/middlewares/session.js
@ -16,7 +16,8 @@ module.exports = (req, res, next) => {
        else db.User.findOne({where: {_id: session.user_id}})
          .then(user => {
            if (!user) {
-              res.clearCookie('sdsession');
+              var domain = (process.env.NODE_ENV == "production") ? new URL(config.get('endpoint')).hostname : req.headers.hostname;
              res.clearCookie('sdsession', { domain: domain });
              if (req.accepts("text/html")) {
                res.send("Please clear your cookies and try again.");
--- a/public/javascripts/spacedeck.js
+++ b/public/javascripts/spacedeck.js
--- a/public/javascripts/spacedeck_routes.js
+++ b/public/javascripts/spacedeck_routes.js
@ -252,8 +252,6 @@ var SpacedeckRoutes = {
      // #hash
      if (event.currentTarget.hash && event.currentTarget.hash.length>1) return;
      console.log("clicked", event.currentTarget.pathname);
      // external link?
      if (event.currentTarget.host != location.host) return;
@ -269,35 +267,6 @@ var SpacedeckRoutes = {
      event.preventDefault();
    }.bind(this));
    if (location.host!=ENV.webHost) {
      if (!subdomainTeam) {
        location.href = ENV.webEndpoint;
        return;
      } else {
        if(subdomainTeam.subdomain) {
          var realHost = (subdomainTeam.subdomain + "." + ENV.webHost);
          if (location.host != realHost) {
            location.href = realHost;
            return;
          }
        } else {
          location.href = ENV.webEndpoint;
          return;
        }
      }
    } 
    if (this.logged_in) {
      if (this.user.team) {
        if (this.user.team.subdomain && this.user.team.subdomain.length > 0) {
          var realHost = (this.user.team.subdomain + "." + ENV.webHost);         
          if (location.host != realHost) {
            location.href = location.protocol + "//" + realHost + location.pathname;
            return;
          }
        }
      }
    }
    this.internal_route(location.pathname);
  },
--- a/public/javascripts/spacedeck_users.js
+++ b/public/javascripts/spacedeck_users.js
@ -48,10 +48,6 @@ SpacedeckUsers = {
    },
    finalize_login: function(session_token, on_success) {
      if(!window.socket_auth || window.socket_auth == '' || window.socket_auth == 'null') {
        window.socket_auth = session_token;
      }
      this.load_user(function(user) {
        if (this.invitation_token) {
          accept_invitation(this.invitation_token, function(memberships){
--- a/public/javascripts/spacedeck_websockets.js
+++ b/public/javascripts/spacedeck_websockets.js
@ -101,11 +101,13 @@ SpacedeckWebsockets = {
      }
      if (this.websocket && this.websocket.readyState==1) {
        var token = "";
        if (this.user) token = this.user.token;
        var auth_params = {
          action: "auth",
          editor_auth: space_auth,
          editor_name: this.guest_nickname,
-          auth_token: window.socket_auth,
+          auth_token: token,
          space_id: space._id
        };
        console.log("[websocket] auth space");
--- a/routes/api/sessions.js
+++ b/routes/api/sessions.js
@ -23,15 +23,11 @@ router.post('/', function(req, res) {
  db.User.findOne({where: {email: email}})
    .error(err => {
      res.sendStatus(404);
      //res.status(400).json({"error":"session.users"});
    })
    .then(user => {
      console.log("!!! user: ",user.password_hash);
      if (bcrypt.compareSync(password, user.password_hash)) {
        crypto.randomBytes(48, function(ex, buf) {
          var token = buf.toString('hex');
          console.log("!!! token: ",token);
          var session = {
            user_id: user._id,
@ -47,7 +43,7 @@ router.post('/', function(req, res) {
              res.sendStatus(500);
            })
            .then(() => {
-              var domain = (process.env.NODE_ENV == "production") ? new URL(config.get('endpoint')).hostname : "localhost";
+              var domain = (process.env.NODE_ENV == "production") ? new URL(config.get('endpoint')).hostname : req.headers.hostname;
              res.cookie('sdsession', token, { domain: domain, httpOnly: true });
              res.status(201).json(session);
            });
@ -60,16 +56,14 @@ router.post('/', function(req, res) {
 router.delete('/current', function(req, res, next) {
  if (req.user) {
-    /*var user = req.user;
+    var token = req.cookies['sdsession'];
-    var newSessions = user.sessions.filter( function(session){
+    db.Session.findOne({where: {token: token}})
-      return session.token != req.token;
+      .then(session => {
-    });*/
+        session.destroy();
-    //user.sessions = newSessions;
+      });
-    //user.save(function(err, result) {
+    var domain = (process.env.NODE_ENV == "production") ? new URL(config.get('endpoint')).hostname : req.headers.hostname;
      var domain = new URL(config.get('endpoint')).hostname;
    res.clearCookie('sdsession', { domain: domain });
    res.sendStatus(204);
    //});
  } else {
    res.sendStatus(404);
  }
--- a/routes/api/space_artifacts.js
+++ b/routes/api/space_artifacts.js
@ -133,7 +133,7 @@ router.post('/:artifact_id/payload', function(req, res, next) {
    var progress_callback = function(progress_msg) {
      a.description = progress_msg;
      a.save();
-      redis.sendMessage("update", a, a.toJSON(), req.channelId);
+      redis.sendMessage("update", a, JSON.stringify(a), req.channelId);
    };
    stream.on('finish', function() {
@ -171,6 +171,7 @@ router.put('/:artifact_id', function(req, res, next) {
  }}).then(rows => {
    db.unpackArtifact(newAttr);
    db.Space.update({ updated_at: new Date() }, {where: {_id: req.space._id} });
    newAttr._id = a._id;
    res.distributeUpdate("Artifact", newAttr);
  });
 });
--- a/routes/api/space_exports.js
+++ b/routes/api/space_exports.js
@ -240,7 +240,6 @@ router.get('/zip', function(req, res, next) {
 });
 router.get('/html', function(req, res) {
  console.log("!!!!! hello ");
  db.Artifact.findAll({where: {
    space_id: req.space._id
  }}).then(function(artifacts) {
--- a/routes/api/users.js
+++ b/routes/api/users.js
@ -25,8 +25,15 @@ var glob = require('glob');
 router.get('/current', function(req, res, next) {
  if (req.user) {
-    console.log(req.user.team);
+    var u = _.clone(req.user.dataValues);
-    res.status(200).json(req.user);
+    delete u.password_hash;
    delete u.password_reset_token;
    delete u.confirmation_token;
    u.token = req.cookies['sdsession'];
    console.log(u);
    res.status(200).json(u);
  } else {
    res.status(401).json({"error":"user_not_found"});
  }
--- a/views/spacedeck.html
+++ b/views/spacedeck.html
@ -22,29 +22,13 @@
      window.browser_lang = '[[locale]]';
      window.csrf_token = '[[csrf_token]]';
      {% if process.env.NODE_ENV != "production" %}
      var ENV = {
        name: 'development',
          webHost: "localhost:9666",
          webEndpoint:"http://localhost:9666",
          apiEndpoint: "http://localhost:9666",
          websocketsEndpoint: "ws://localhost:9666"
        };
      {% else %}
        var ENV = {
          name: 'production',
        webHost: location.host,
        webEndpoint: location.origin,
        apiEndpoint: location.origin,
        websocketsEndpoint: location.origin.replace("https:","wss:").replace("http:","ws:")
      };
      {% endif %}
      {% if subdomain_team %}
        var subdomainTeam = [[ subdomain_team | json | safe ]];
      {% else %}
        var subdomainTeam = null;
      {% endif %}
    </script>
    {% if process.env.NODE_ENV == "production" %}