fix session token/cookie handling for arbitrary server IPs; fix realtime update distribution via websockets
This commit is contained in:
parent
f752ec4219
commit
c19f00b316
@ -16,7 +16,8 @@ module.exports = (req, res, next) => {
|
|||||||
else db.User.findOne({where: {_id: session.user_id}})
|
else db.User.findOne({where: {_id: session.user_id}})
|
||||||
.then(user => {
|
.then(user => {
|
||||||
if (!user) {
|
if (!user) {
|
||||||
res.clearCookie('sdsession');
|
var domain = (process.env.NODE_ENV == "production") ? new URL(config.get('endpoint')).hostname : req.headers.hostname;
|
||||||
|
res.clearCookie('sdsession', { domain: domain });
|
||||||
|
|
||||||
if (req.accepts("text/html")) {
|
if (req.accepts("text/html")) {
|
||||||
res.send("Please clear your cookies and try again.");
|
res.send("Please clear your cookies and try again.");
|
||||||
|
File diff suppressed because it is too large
Load Diff
@ -252,8 +252,6 @@ var SpacedeckRoutes = {
|
|||||||
// #hash
|
// #hash
|
||||||
if (event.currentTarget.hash && event.currentTarget.hash.length>1) return;
|
if (event.currentTarget.hash && event.currentTarget.hash.length>1) return;
|
||||||
|
|
||||||
console.log("clicked", event.currentTarget.pathname);
|
|
||||||
|
|
||||||
// external link?
|
// external link?
|
||||||
if (event.currentTarget.host != location.host) return;
|
if (event.currentTarget.host != location.host) return;
|
||||||
|
|
||||||
@ -269,35 +267,6 @@ var SpacedeckRoutes = {
|
|||||||
event.preventDefault();
|
event.preventDefault();
|
||||||
}.bind(this));
|
}.bind(this));
|
||||||
|
|
||||||
if (location.host!=ENV.webHost) {
|
|
||||||
if (!subdomainTeam) {
|
|
||||||
location.href = ENV.webEndpoint;
|
|
||||||
return;
|
|
||||||
} else {
|
|
||||||
if(subdomainTeam.subdomain) {
|
|
||||||
var realHost = (subdomainTeam.subdomain + "." + ENV.webHost);
|
|
||||||
if (location.host != realHost) {
|
|
||||||
location.href = realHost;
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
location.href = ENV.webEndpoint;
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
if (this.logged_in) {
|
|
||||||
if (this.user.team) {
|
|
||||||
if (this.user.team.subdomain && this.user.team.subdomain.length > 0) {
|
|
||||||
var realHost = (this.user.team.subdomain + "." + ENV.webHost);
|
|
||||||
if (location.host != realHost) {
|
|
||||||
location.href = location.protocol + "//" + realHost + location.pathname;
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
this.internal_route(location.pathname);
|
this.internal_route(location.pathname);
|
||||||
},
|
},
|
||||||
|
|
||||||
|
@ -48,10 +48,6 @@ SpacedeckUsers = {
|
|||||||
},
|
},
|
||||||
|
|
||||||
finalize_login: function(session_token, on_success) {
|
finalize_login: function(session_token, on_success) {
|
||||||
if(!window.socket_auth || window.socket_auth == '' || window.socket_auth == 'null') {
|
|
||||||
window.socket_auth = session_token;
|
|
||||||
}
|
|
||||||
|
|
||||||
this.load_user(function(user) {
|
this.load_user(function(user) {
|
||||||
if (this.invitation_token) {
|
if (this.invitation_token) {
|
||||||
accept_invitation(this.invitation_token, function(memberships){
|
accept_invitation(this.invitation_token, function(memberships){
|
||||||
|
@ -59,13 +59,13 @@ SpacedeckWebsockets = {
|
|||||||
else if (msg.action == "delete" && msg.object) {
|
else if (msg.action == "delete" && msg.object) {
|
||||||
if (this.active_space) {
|
if (this.active_space) {
|
||||||
var o = msg.object;
|
var o = msg.object;
|
||||||
if(o._id){
|
if (o._id){
|
||||||
var existing_artifact = this.find_artifact_by_id(o._id);
|
var existing_artifact = this.find_artifact_by_id(o._id);
|
||||||
if (existing_artifact) {
|
if (existing_artifact) {
|
||||||
var idx = this.active_space_artifacts.indexOf(existing_artifact);
|
var idx = this.active_space_artifacts.indexOf(existing_artifact);
|
||||||
this.active_space_artifacts.splice(idx, 1);
|
this.active_space_artifacts.splice(idx, 1);
|
||||||
} else console.log("existing artifact to delete not found");
|
} else console.log("existing artifact to delete not found");
|
||||||
}else console.error("object without _id");
|
} else console.error("object without _id");
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -101,11 +101,13 @@ SpacedeckWebsockets = {
|
|||||||
}
|
}
|
||||||
|
|
||||||
if (this.websocket && this.websocket.readyState==1) {
|
if (this.websocket && this.websocket.readyState==1) {
|
||||||
|
var token = "";
|
||||||
|
if (this.user) token = this.user.token;
|
||||||
var auth_params = {
|
var auth_params = {
|
||||||
action: "auth",
|
action: "auth",
|
||||||
editor_auth: space_auth,
|
editor_auth: space_auth,
|
||||||
editor_name: this.guest_nickname,
|
editor_name: this.guest_nickname,
|
||||||
auth_token: window.socket_auth,
|
auth_token: token,
|
||||||
space_id: space._id
|
space_id: space._id
|
||||||
};
|
};
|
||||||
console.log("[websocket] auth space");
|
console.log("[websocket] auth space");
|
||||||
|
@ -23,15 +23,11 @@ router.post('/', function(req, res) {
|
|||||||
db.User.findOne({where: {email: email}})
|
db.User.findOne({where: {email: email}})
|
||||||
.error(err => {
|
.error(err => {
|
||||||
res.sendStatus(404);
|
res.sendStatus(404);
|
||||||
//res.status(400).json({"error":"session.users"});
|
|
||||||
})
|
})
|
||||||
.then(user => {
|
.then(user => {
|
||||||
console.log("!!! user: ",user.password_hash);
|
|
||||||
|
|
||||||
if (bcrypt.compareSync(password, user.password_hash)) {
|
if (bcrypt.compareSync(password, user.password_hash)) {
|
||||||
crypto.randomBytes(48, function(ex, buf) {
|
crypto.randomBytes(48, function(ex, buf) {
|
||||||
var token = buf.toString('hex');
|
var token = buf.toString('hex');
|
||||||
console.log("!!! token: ",token);
|
|
||||||
|
|
||||||
var session = {
|
var session = {
|
||||||
user_id: user._id,
|
user_id: user._id,
|
||||||
@ -47,7 +43,7 @@ router.post('/', function(req, res) {
|
|||||||
res.sendStatus(500);
|
res.sendStatus(500);
|
||||||
})
|
})
|
||||||
.then(() => {
|
.then(() => {
|
||||||
var domain = (process.env.NODE_ENV == "production") ? new URL(config.get('endpoint')).hostname : "localhost";
|
var domain = (process.env.NODE_ENV == "production") ? new URL(config.get('endpoint')).hostname : req.headers.hostname;
|
||||||
res.cookie('sdsession', token, { domain: domain, httpOnly: true });
|
res.cookie('sdsession', token, { domain: domain, httpOnly: true });
|
||||||
res.status(201).json(session);
|
res.status(201).json(session);
|
||||||
});
|
});
|
||||||
@ -60,16 +56,14 @@ router.post('/', function(req, res) {
|
|||||||
|
|
||||||
router.delete('/current', function(req, res, next) {
|
router.delete('/current', function(req, res, next) {
|
||||||
if (req.user) {
|
if (req.user) {
|
||||||
/*var user = req.user;
|
var token = req.cookies['sdsession'];
|
||||||
var newSessions = user.sessions.filter( function(session){
|
db.Session.findOne({where: {token: token}})
|
||||||
return session.token != req.token;
|
.then(session => {
|
||||||
});*/
|
session.destroy();
|
||||||
//user.sessions = newSessions;
|
});
|
||||||
//user.save(function(err, result) {
|
var domain = (process.env.NODE_ENV == "production") ? new URL(config.get('endpoint')).hostname : req.headers.hostname;
|
||||||
var domain = new URL(config.get('endpoint')).hostname;
|
res.clearCookie('sdsession', { domain: domain });
|
||||||
res.clearCookie('sdsession', { domain: domain });
|
res.sendStatus(204);
|
||||||
res.sendStatus(204);
|
|
||||||
//});
|
|
||||||
} else {
|
} else {
|
||||||
res.sendStatus(404);
|
res.sendStatus(404);
|
||||||
}
|
}
|
||||||
|
@ -133,7 +133,7 @@ router.post('/:artifact_id/payload', function(req, res, next) {
|
|||||||
var progress_callback = function(progress_msg) {
|
var progress_callback = function(progress_msg) {
|
||||||
a.description = progress_msg;
|
a.description = progress_msg;
|
||||||
a.save();
|
a.save();
|
||||||
redis.sendMessage("update", a, a.toJSON(), req.channelId);
|
redis.sendMessage("update", a, JSON.stringify(a), req.channelId);
|
||||||
};
|
};
|
||||||
|
|
||||||
stream.on('finish', function() {
|
stream.on('finish', function() {
|
||||||
@ -171,6 +171,7 @@ router.put('/:artifact_id', function(req, res, next) {
|
|||||||
}}).then(rows => {
|
}}).then(rows => {
|
||||||
db.unpackArtifact(newAttr);
|
db.unpackArtifact(newAttr);
|
||||||
db.Space.update({ updated_at: new Date() }, {where: {_id: req.space._id} });
|
db.Space.update({ updated_at: new Date() }, {where: {_id: req.space._id} });
|
||||||
|
newAttr._id = a._id;
|
||||||
res.distributeUpdate("Artifact", newAttr);
|
res.distributeUpdate("Artifact", newAttr);
|
||||||
});
|
});
|
||||||
});
|
});
|
||||||
|
@ -240,7 +240,6 @@ router.get('/zip', function(req, res, next) {
|
|||||||
});
|
});
|
||||||
|
|
||||||
router.get('/html', function(req, res) {
|
router.get('/html', function(req, res) {
|
||||||
console.log("!!!!! hello ");
|
|
||||||
db.Artifact.findAll({where: {
|
db.Artifact.findAll({where: {
|
||||||
space_id: req.space._id
|
space_id: req.space._id
|
||||||
}}).then(function(artifacts) {
|
}}).then(function(artifacts) {
|
||||||
|
@ -25,8 +25,15 @@ var glob = require('glob');
|
|||||||
|
|
||||||
router.get('/current', function(req, res, next) {
|
router.get('/current', function(req, res, next) {
|
||||||
if (req.user) {
|
if (req.user) {
|
||||||
console.log(req.user.team);
|
var u = _.clone(req.user.dataValues);
|
||||||
res.status(200).json(req.user);
|
delete u.password_hash;
|
||||||
|
delete u.password_reset_token;
|
||||||
|
delete u.confirmation_token;
|
||||||
|
u.token = req.cookies['sdsession'];
|
||||||
|
|
||||||
|
console.log(u);
|
||||||
|
|
||||||
|
res.status(200).json(u);
|
||||||
} else {
|
} else {
|
||||||
res.status(401).json({"error":"user_not_found"});
|
res.status(401).json({"error":"user_not_found"});
|
||||||
}
|
}
|
||||||
|
@ -22,29 +22,13 @@
|
|||||||
window.browser_lang = '[[locale]]';
|
window.browser_lang = '[[locale]]';
|
||||||
window.csrf_token = '[[csrf_token]]';
|
window.csrf_token = '[[csrf_token]]';
|
||||||
|
|
||||||
{% if process.env.NODE_ENV != "production" %}
|
var ENV = {
|
||||||
var ENV = {
|
name: 'development',
|
||||||
name: 'development',
|
webHost: location.host,
|
||||||
webHost: "localhost:9666",
|
webEndpoint: location.origin,
|
||||||
webEndpoint:"http://localhost:9666",
|
apiEndpoint: location.origin,
|
||||||
apiEndpoint: "http://localhost:9666",
|
websocketsEndpoint: location.origin.replace("https:","wss:").replace("http:","ws:")
|
||||||
websocketsEndpoint: "ws://localhost:9666"
|
};
|
||||||
};
|
|
||||||
{% else %}
|
|
||||||
var ENV = {
|
|
||||||
name: 'production',
|
|
||||||
webHost: location.host,
|
|
||||||
webEndpoint: location.origin,
|
|
||||||
apiEndpoint: location.origin,
|
|
||||||
websocketsEndpoint: location.origin.replace("https:","wss:").replace("http:","ws:")
|
|
||||||
};
|
|
||||||
{% endif %}
|
|
||||||
|
|
||||||
{% if subdomain_team %}
|
|
||||||
var subdomainTeam = [[ subdomain_team | json | safe ]];
|
|
||||||
{% else %}
|
|
||||||
var subdomainTeam = null;
|
|
||||||
{% endif %}
|
|
||||||
</script>
|
</script>
|
||||||
|
|
||||||
{% if process.env.NODE_ENV == "production" %}
|
{% if process.env.NODE_ENV == "production" %}
|
||||||
|
Loading…
Reference in New Issue
Block a user