fix session token/cookie handling for arbitrary server IPs; fix realtime update distribution via websockets

This commit is contained in:
Lukas F. Hartmann 2018-05-01 17:04:08 +02:00
parent f752ec4219
commit c19f00b316
10 changed files with 34 additions and 16012 deletions

View File

@ -16,7 +16,8 @@ module.exports = (req, res, next) => {
else db.User.findOne({where: {_id: session.user_id}}) else db.User.findOne({where: {_id: session.user_id}})
.then(user => { .then(user => {
if (!user) { if (!user) {
res.clearCookie('sdsession'); var domain = (process.env.NODE_ENV == "production") ? new URL(config.get('endpoint')).hostname : req.headers.hostname;
res.clearCookie('sdsession', { domain: domain });
if (req.accepts("text/html")) { if (req.accepts("text/html")) {
res.send("Please clear your cookies and try again."); res.send("Please clear your cookies and try again.");

File diff suppressed because it is too large Load Diff

View File

@ -252,8 +252,6 @@ var SpacedeckRoutes = {
// #hash // #hash
if (event.currentTarget.hash && event.currentTarget.hash.length>1) return; if (event.currentTarget.hash && event.currentTarget.hash.length>1) return;
console.log("clicked", event.currentTarget.pathname);
// external link? // external link?
if (event.currentTarget.host != location.host) return; if (event.currentTarget.host != location.host) return;
@ -269,35 +267,6 @@ var SpacedeckRoutes = {
event.preventDefault(); event.preventDefault();
}.bind(this)); }.bind(this));
if (location.host!=ENV.webHost) {
if (!subdomainTeam) {
location.href = ENV.webEndpoint;
return;
} else {
if(subdomainTeam.subdomain) {
var realHost = (subdomainTeam.subdomain + "." + ENV.webHost);
if (location.host != realHost) {
location.href = realHost;
return;
}
} else {
location.href = ENV.webEndpoint;
return;
}
}
}
if (this.logged_in) {
if (this.user.team) {
if (this.user.team.subdomain && this.user.team.subdomain.length > 0) {
var realHost = (this.user.team.subdomain + "." + ENV.webHost);
if (location.host != realHost) {
location.href = location.protocol + "//" + realHost + location.pathname;
return;
}
}
}
}
this.internal_route(location.pathname); this.internal_route(location.pathname);
}, },

View File

@ -48,10 +48,6 @@ SpacedeckUsers = {
}, },
finalize_login: function(session_token, on_success) { finalize_login: function(session_token, on_success) {
if(!window.socket_auth || window.socket_auth == '' || window.socket_auth == 'null') {
window.socket_auth = session_token;
}
this.load_user(function(user) { this.load_user(function(user) {
if (this.invitation_token) { if (this.invitation_token) {
accept_invitation(this.invitation_token, function(memberships){ accept_invitation(this.invitation_token, function(memberships){

View File

@ -59,13 +59,13 @@ SpacedeckWebsockets = {
else if (msg.action == "delete" && msg.object) { else if (msg.action == "delete" && msg.object) {
if (this.active_space) { if (this.active_space) {
var o = msg.object; var o = msg.object;
if(o._id){ if (o._id){
var existing_artifact = this.find_artifact_by_id(o._id); var existing_artifact = this.find_artifact_by_id(o._id);
if (existing_artifact) { if (existing_artifact) {
var idx = this.active_space_artifacts.indexOf(existing_artifact); var idx = this.active_space_artifacts.indexOf(existing_artifact);
this.active_space_artifacts.splice(idx, 1); this.active_space_artifacts.splice(idx, 1);
} else console.log("existing artifact to delete not found"); } else console.log("existing artifact to delete not found");
}else console.error("object without _id"); } else console.error("object without _id");
} }
} }
} }
@ -101,11 +101,13 @@ SpacedeckWebsockets = {
} }
if (this.websocket && this.websocket.readyState==1) { if (this.websocket && this.websocket.readyState==1) {
var token = "";
if (this.user) token = this.user.token;
var auth_params = { var auth_params = {
action: "auth", action: "auth",
editor_auth: space_auth, editor_auth: space_auth,
editor_name: this.guest_nickname, editor_name: this.guest_nickname,
auth_token: window.socket_auth, auth_token: token,
space_id: space._id space_id: space._id
}; };
console.log("[websocket] auth space"); console.log("[websocket] auth space");

View File

@ -23,15 +23,11 @@ router.post('/', function(req, res) {
db.User.findOne({where: {email: email}}) db.User.findOne({where: {email: email}})
.error(err => { .error(err => {
res.sendStatus(404); res.sendStatus(404);
//res.status(400).json({"error":"session.users"});
}) })
.then(user => { .then(user => {
console.log("!!! user: ",user.password_hash);
if (bcrypt.compareSync(password, user.password_hash)) { if (bcrypt.compareSync(password, user.password_hash)) {
crypto.randomBytes(48, function(ex, buf) { crypto.randomBytes(48, function(ex, buf) {
var token = buf.toString('hex'); var token = buf.toString('hex');
console.log("!!! token: ",token);
var session = { var session = {
user_id: user._id, user_id: user._id,
@ -47,7 +43,7 @@ router.post('/', function(req, res) {
res.sendStatus(500); res.sendStatus(500);
}) })
.then(() => { .then(() => {
var domain = (process.env.NODE_ENV == "production") ? new URL(config.get('endpoint')).hostname : "localhost"; var domain = (process.env.NODE_ENV == "production") ? new URL(config.get('endpoint')).hostname : req.headers.hostname;
res.cookie('sdsession', token, { domain: domain, httpOnly: true }); res.cookie('sdsession', token, { domain: domain, httpOnly: true });
res.status(201).json(session); res.status(201).json(session);
}); });
@ -60,16 +56,14 @@ router.post('/', function(req, res) {
router.delete('/current', function(req, res, next) { router.delete('/current', function(req, res, next) {
if (req.user) { if (req.user) {
/*var user = req.user; var token = req.cookies['sdsession'];
var newSessions = user.sessions.filter( function(session){ db.Session.findOne({where: {token: token}})
return session.token != req.token; .then(session => {
});*/ session.destroy();
//user.sessions = newSessions; });
//user.save(function(err, result) { var domain = (process.env.NODE_ENV == "production") ? new URL(config.get('endpoint')).hostname : req.headers.hostname;
var domain = new URL(config.get('endpoint')).hostname; res.clearCookie('sdsession', { domain: domain });
res.clearCookie('sdsession', { domain: domain }); res.sendStatus(204);
res.sendStatus(204);
//});
} else { } else {
res.sendStatus(404); res.sendStatus(404);
} }

View File

@ -133,7 +133,7 @@ router.post('/:artifact_id/payload', function(req, res, next) {
var progress_callback = function(progress_msg) { var progress_callback = function(progress_msg) {
a.description = progress_msg; a.description = progress_msg;
a.save(); a.save();
redis.sendMessage("update", a, a.toJSON(), req.channelId); redis.sendMessage("update", a, JSON.stringify(a), req.channelId);
}; };
stream.on('finish', function() { stream.on('finish', function() {
@ -171,6 +171,7 @@ router.put('/:artifact_id', function(req, res, next) {
}}).then(rows => { }}).then(rows => {
db.unpackArtifact(newAttr); db.unpackArtifact(newAttr);
db.Space.update({ updated_at: new Date() }, {where: {_id: req.space._id} }); db.Space.update({ updated_at: new Date() }, {where: {_id: req.space._id} });
newAttr._id = a._id;
res.distributeUpdate("Artifact", newAttr); res.distributeUpdate("Artifact", newAttr);
}); });
}); });

View File

@ -240,7 +240,6 @@ router.get('/zip', function(req, res, next) {
}); });
router.get('/html', function(req, res) { router.get('/html', function(req, res) {
console.log("!!!!! hello ");
db.Artifact.findAll({where: { db.Artifact.findAll({where: {
space_id: req.space._id space_id: req.space._id
}}).then(function(artifacts) { }}).then(function(artifacts) {

View File

@ -25,8 +25,15 @@ var glob = require('glob');
router.get('/current', function(req, res, next) { router.get('/current', function(req, res, next) {
if (req.user) { if (req.user) {
console.log(req.user.team); var u = _.clone(req.user.dataValues);
res.status(200).json(req.user); delete u.password_hash;
delete u.password_reset_token;
delete u.confirmation_token;
u.token = req.cookies['sdsession'];
console.log(u);
res.status(200).json(u);
} else { } else {
res.status(401).json({"error":"user_not_found"}); res.status(401).json({"error":"user_not_found"});
} }

View File

@ -22,29 +22,13 @@
window.browser_lang = '[[locale]]'; window.browser_lang = '[[locale]]';
window.csrf_token = '[[csrf_token]]'; window.csrf_token = '[[csrf_token]]';
{% if process.env.NODE_ENV != "production" %} var ENV = {
var ENV = { name: 'development',
name: 'development', webHost: location.host,
webHost: "localhost:9666", webEndpoint: location.origin,
webEndpoint:"http://localhost:9666", apiEndpoint: location.origin,
apiEndpoint: "http://localhost:9666", websocketsEndpoint: location.origin.replace("https:","wss:").replace("http:","ws:")
websocketsEndpoint: "ws://localhost:9666" };
};
{% else %}
var ENV = {
name: 'production',
webHost: location.host,
webEndpoint: location.origin,
apiEndpoint: location.origin,
websocketsEndpoint: location.origin.replace("https:","wss:").replace("http:","ws:")
};
{% endif %}
{% if subdomain_team %}
var subdomainTeam = [[ subdomain_team | json | safe ]];
{% else %}
var subdomainTeam = null;
{% endif %}
</script> </script>
{% if process.env.NODE_ENV == "production" %} {% if process.env.NODE_ENV == "production" %}