2018-09-24 16:47:05 +03:00
|
|
|
const fs = require('fs-extra');
|
|
|
|
const url = require('url');
|
|
|
|
const session = require('cookie-session');
|
|
|
|
const crypto = require('crypto');
|
|
|
|
const path = require('path');
|
2020-05-27 20:47:53 +03:00
|
|
|
const config = require('../../../../shared/config');
|
2020-05-28 13:57:02 +03:00
|
|
|
const urlUtils = require('../../../../shared/url-utils');
|
2020-08-11 14:51:16 +03:00
|
|
|
const constants = require('@tryghost/constants');
|
2020-05-22 21:22:20 +03:00
|
|
|
const {i18n} = require('../../../../server/lib/common');
|
|
|
|
const errors = require('@tryghost/errors');
|
2019-06-19 12:30:28 +03:00
|
|
|
const settingsCache = require('../../../../server/services/settings/cache');
|
2018-09-24 16:47:05 +03:00
|
|
|
// routeKeywords.private: 'private'
|
|
|
|
const privateRoute = '/private/';
|
2015-07-15 19:01:23 +03:00
|
|
|
|
|
|
|
function verifySessionHash(salt, hash) {
|
|
|
|
if (!salt || !hash) {
|
2017-10-03 14:40:53 +03:00
|
|
|
return false;
|
2015-07-15 19:01:23 +03:00
|
|
|
}
|
|
|
|
|
2018-06-28 11:50:03 +03:00
|
|
|
let hasher = crypto.createHash('sha256');
|
2017-10-03 14:40:53 +03:00
|
|
|
hasher.update(settingsCache.get('password') + salt, 'utf8');
|
|
|
|
return hasher.digest('hex') === hash;
|
2015-07-15 19:01:23 +03:00
|
|
|
}
|
|
|
|
|
2018-09-24 16:47:05 +03:00
|
|
|
function getRedirectUrl(query) {
|
|
|
|
try {
|
2020-03-02 11:18:49 +03:00
|
|
|
const redirect = decodeURIComponent(query.r || '/');
|
2018-12-17 14:53:45 +03:00
|
|
|
return url.parse(redirect).pathname;
|
2018-09-24 16:47:05 +03:00
|
|
|
} catch (e) {
|
|
|
|
return '/';
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
const privateBlogging = {
|
2015-07-15 19:01:23 +03:00
|
|
|
checkIsPrivate: function checkIsPrivate(req, res, next) {
|
2018-06-28 11:50:03 +03:00
|
|
|
let isPrivateBlog = settingsCache.get('is_private');
|
2015-07-15 19:01:23 +03:00
|
|
|
|
2017-10-03 14:40:53 +03:00
|
|
|
if (!isPrivateBlog) {
|
|
|
|
res.isPrivateBlog = false;
|
|
|
|
return next();
|
|
|
|
}
|
2015-07-15 19:01:23 +03:00
|
|
|
|
2017-10-03 14:40:53 +03:00
|
|
|
res.isPrivateBlog = true;
|
2015-07-15 19:01:23 +03:00
|
|
|
|
2017-10-03 14:40:53 +03:00
|
|
|
return session({
|
2017-12-14 16:13:40 +03:00
|
|
|
maxAge: constants.ONE_MONTH_MS,
|
2020-04-15 12:51:47 +03:00
|
|
|
signed: false,
|
|
|
|
sameSite: 'none'
|
2017-10-03 14:40:53 +03:00
|
|
|
})(req, res, next);
|
2015-07-15 19:01:23 +03:00
|
|
|
},
|
|
|
|
|
|
|
|
filterPrivateRoutes: function filterPrivateRoutes(req, res, next) {
|
2020-06-16 13:42:32 +03:00
|
|
|
// If this site is not in private mode, skip
|
|
|
|
if (!res.isPrivateBlog) {
|
|
|
|
return next();
|
|
|
|
}
|
|
|
|
|
|
|
|
// CASE: this is the /private/ page, continue (allow this to be rendered)
|
|
|
|
if (req.path === `${privateRoute}`) {
|
2015-07-15 19:01:23 +03:00
|
|
|
return next();
|
|
|
|
}
|
|
|
|
|
2020-06-16 13:42:32 +03:00
|
|
|
// CASE: this is the robots.txt file, serve a special private version
|
|
|
|
if (req.path === '/robots.txt') {
|
2017-10-03 14:40:53 +03:00
|
|
|
return fs.readFile(path.resolve(__dirname, '../', 'robots.txt'), function readFile(err, buf) {
|
2015-07-15 19:01:23 +03:00
|
|
|
if (err) {
|
|
|
|
return next(err);
|
|
|
|
}
|
2017-05-29 23:10:32 +03:00
|
|
|
|
2015-07-15 19:01:23 +03:00
|
|
|
res.writeHead(200, {
|
|
|
|
'Content-Type': 'text/plain',
|
|
|
|
'Content-Length': buf.length,
|
2017-05-29 23:10:32 +03:00
|
|
|
'Cache-Control': 'public, max-age=' + config.get('caching:robotstxt:maxAge')
|
2015-07-15 19:01:23 +03:00
|
|
|
});
|
2017-05-29 23:10:32 +03:00
|
|
|
|
2015-07-15 19:01:23 +03:00
|
|
|
res.end(buf);
|
|
|
|
});
|
|
|
|
}
|
2017-10-03 14:40:53 +03:00
|
|
|
|
2017-10-05 13:07:32 +03:00
|
|
|
// CASE: Allow private RSS feed urls.
|
2020-06-16 13:42:32 +03:00
|
|
|
// If the path matches the private rss feed URL we rewrite the url. Even Express uses rewriting when using `app.use()`.
|
|
|
|
let isPrivateRSS = new RegExp(`/${settingsCache.get('public_hash')}/rss(/)?$`);
|
|
|
|
if (isPrivateRSS.test(req.path)) {
|
2017-10-05 13:07:32 +03:00
|
|
|
req.url = req.url.replace(settingsCache.get('public_hash') + '/', '');
|
|
|
|
return next();
|
|
|
|
}
|
|
|
|
|
|
|
|
// NOTE: Redirect to /private if the session does not exist.
|
|
|
|
privateBlogging.authenticatePrivateSession(req, res, function onSessionVerified() {
|
|
|
|
// CASE: RSS is disabled for private blogging e.g. they create overhead
|
2020-06-15 22:13:35 +03:00
|
|
|
if (req.path.match(/\/rss\/$/)) {
|
2020-05-22 21:22:20 +03:00
|
|
|
return next(new errors.NotFoundError({
|
|
|
|
message: i18n.t('errors.errors.pageNotFound')
|
2017-10-05 13:07:32 +03:00
|
|
|
}));
|
|
|
|
}
|
|
|
|
|
|
|
|
next();
|
|
|
|
});
|
2015-07-15 19:01:23 +03:00
|
|
|
},
|
|
|
|
|
|
|
|
authenticatePrivateSession: function authenticatePrivateSession(req, res, next) {
|
2020-04-29 18:44:27 +03:00
|
|
|
const hash = req.session.token || '';
|
|
|
|
const salt = req.session.salt || '';
|
|
|
|
const isVerified = verifySessionHash(salt, hash);
|
2015-07-15 19:01:23 +03:00
|
|
|
|
2017-10-03 14:40:53 +03:00
|
|
|
if (isVerified) {
|
|
|
|
return next();
|
|
|
|
} else {
|
2020-06-15 22:13:35 +03:00
|
|
|
let redirectUrl = urlUtils.urlFor({relativeUrl: privateRoute});
|
|
|
|
redirectUrl += '?r=' + encodeURIComponent(req.url);
|
2020-06-16 13:42:32 +03:00
|
|
|
|
2020-06-15 22:13:35 +03:00
|
|
|
return res.redirect(redirectUrl);
|
2017-10-03 14:40:53 +03:00
|
|
|
}
|
2015-07-15 19:01:23 +03:00
|
|
|
},
|
|
|
|
|
|
|
|
// This is here so a call to /private/ after a session is verified will redirect to home;
|
2020-06-15 22:55:59 +03:00
|
|
|
redirectPrivateToHomeIfLoggedIn: function redirectPrivateToHomeIfLoggedIn(req, res, next) {
|
2015-07-15 19:01:23 +03:00
|
|
|
if (!res.isPrivateBlog) {
|
2019-06-18 16:13:55 +03:00
|
|
|
return res.redirect(urlUtils.urlFor('home', true));
|
2015-07-15 19:01:23 +03:00
|
|
|
}
|
|
|
|
|
2020-04-29 18:44:27 +03:00
|
|
|
const hash = req.session.token || '';
|
|
|
|
const salt = req.session.salt || '';
|
|
|
|
const isVerified = verifySessionHash(salt, hash);
|
2017-10-03 14:40:53 +03:00
|
|
|
|
|
|
|
if (isVerified) {
|
|
|
|
// redirect to home if user is already authenticated
|
2019-06-18 16:13:55 +03:00
|
|
|
return res.redirect(urlUtils.urlFor('home', true));
|
2017-10-03 14:40:53 +03:00
|
|
|
} else {
|
|
|
|
return next();
|
|
|
|
}
|
2015-07-15 19:01:23 +03:00
|
|
|
},
|
|
|
|
|
2020-06-15 22:55:59 +03:00
|
|
|
doLoginToPrivateSite: function doLoginToPrivateSite(req, res, next) {
|
2015-07-15 19:01:23 +03:00
|
|
|
// if errors have been generated from the previous call
|
|
|
|
if (res.error) {
|
|
|
|
return next();
|
|
|
|
}
|
|
|
|
|
2018-09-24 16:47:05 +03:00
|
|
|
const bodyPass = req.body.password;
|
|
|
|
const pass = settingsCache.get('password');
|
|
|
|
const hasher = crypto.createHash('sha256');
|
|
|
|
const salt = Date.now().toString();
|
|
|
|
const forward = getRedirectUrl(req.query);
|
2017-10-03 14:40:53 +03:00
|
|
|
|
|
|
|
if (pass === bodyPass) {
|
|
|
|
hasher.update(bodyPass + salt, 'utf8');
|
|
|
|
req.session.token = hasher.digest('hex');
|
|
|
|
req.session.salt = salt;
|
|
|
|
|
2019-06-18 16:13:55 +03:00
|
|
|
return res.redirect(urlUtils.urlFor({relativeUrl: forward}));
|
2017-10-03 14:40:53 +03:00
|
|
|
} else {
|
|
|
|
res.error = {
|
2020-05-22 21:22:20 +03:00
|
|
|
message: i18n.t('errors.middleware.privateblogging.wrongPassword')
|
2017-10-03 14:40:53 +03:00
|
|
|
};
|
|
|
|
return next();
|
|
|
|
}
|
2020-06-16 13:42:32 +03:00
|
|
|
},
|
|
|
|
|
|
|
|
/**
|
|
|
|
* We should never render a 404 error for private sites, as these can leak information
|
|
|
|
*/
|
|
|
|
handle404: function handle404(err, req, res, next) {
|
|
|
|
// CASE: not a private site, skip to next handler
|
|
|
|
if (!res.isPrivateBlog) {
|
|
|
|
return next(err);
|
|
|
|
}
|
|
|
|
|
|
|
|
// CASE: not a private 404, something else went wrong, show an error
|
|
|
|
if (err.statusCode !== 404) {
|
|
|
|
return next(err);
|
|
|
|
}
|
|
|
|
|
|
|
|
// CASE: 404 - redirect this page back to /private/ if the user isn't verified
|
|
|
|
return privateBlogging.authenticatePrivateSession(req, res, function onSessionVerified() {
|
|
|
|
// CASE: User is logged in, render an error
|
|
|
|
return next(err);
|
|
|
|
});
|
2015-07-15 19:01:23 +03:00
|
|
|
}
|
|
|
|
};
|
|
|
|
|
2015-10-12 19:54:15 +03:00
|
|
|
module.exports = privateBlogging;
|