rainbownapkin/fore.st
1
0
Fork 0
Code Issues 13 Pull requests Projects Releases Packages Wiki Activity Actions

Remove ?dest= redirect logic for /login and use referrer instead

Browse source
This commit is contained in:
Calvin Montgomery 2017-08-22 17:25:18 -07:00
parent a48cab81b9
commit 7e6312f9d1
2 changed files with 19 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

20
src/web/auth.js
View file

@ -18,6 +18,19 @@ var csrf = require("./csrf");
const LOGGER = require('@calzoneman/jsli')('web/auth');
function getSafeReferrer(req) {
const referrer = req.header('referer');
const { hostname } = url.parse(referrer);
// TODO: come back to this when refactoring http alt domains
if (hostname === Config.get('http.root-domain')
|| Config.get('http.alt-domains').includes(hostname)) {
return referrer;
} else {
return null;
}
}
/**
* Processes a login request. Sets a cookie upon successful authentication
*/
@ -27,7 +40,7 @@ function handleLogin(req, res) {
var name = req.body.name;
var password = req.body.password;
var rememberMe = req.body.remember;
var dest = req.body.dest || req.header("referer") || null;
var dest = req.body.dest || getSafeReferrer(req) || null;
dest = dest && dest.match(/login|logout/) ? null : dest;
if (typeof name !== "string" || typeof password !== "string") {
@ -36,6 +49,7 @@ function handleLogin(req, res) {
}
var host = req.hostname;
// TODO: remove this check from /login, make it generic middleware
if (host.indexOf(Config.get("http.root-domain")) === -1 &&
Config.get("http.alt-domains").indexOf(host) === -1) {
LOGGER.warn("Attempted login from non-approved domain " + host);
@ -102,7 +116,7 @@ function handleLoginPage(req, res) {
});
}
var redirect = req.query.dest || req.header("referer");
var redirect = getSafeReferrer(req);
var locals = {};
if (!/\/register/.test(redirect)) {
locals.redirect = redirect;
@ -120,7 +134,7 @@ function handleLogout(req, res) {
res.clearCookie("auth");
res.locals.loggedIn = res.locals.loginName = res.locals.superadmin = false;
// Try to find an appropriate redirect
var dest = req.body.dest || req.header("referer");
var dest = req.body.dest || getSafeReferrer(req);
dest = dest && dest.match(/login|logout|account/) ? null : dest;
var host = req.hostname;